diff --git a/Makefile b/Makefile index f9d7aa054eb1..41085b346ca2 100644 --- a/Makefile +++ b/Makefile @@ -36,7 +36,7 @@ TOOLS_DIR := $(PWD)/.tools KIND := $(TOOLS_DIR)/kind KIND_VERSION := v0.17.0 CONTROLLER_GEN := $(TOOLS_DIR)/controller-gen -CONTROLLER_GEN_VERSION := v0.11.3 +CONTROLLER_GEN_VERSION ?= v0.14.0 CLIENT_GEN := $(TOOLS_DIR)/client-gen LISTER_GEN := $(TOOLS_DIR)/lister-gen INFORMER_GEN := $(TOOLS_DIR)/informer-gen @@ -426,12 +426,12 @@ codegen-client-all: codegen-client-clientset codegen-client-listers codegen-clie .PHONY: codegen-crds-kyverno codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs @echo Generate kyverno crds... >&2 - @$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) + @$(CONTROLLER_GEN) paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) .PHONY: codegen-crds-report codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs @echo Generate policy reports crds... >&2 - @$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) + @$(CONTROLLER_GEN) paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) .PHONY: codegen-crds-all codegen-crds-all: codegen-crds-kyverno codegen-crds-report ## Generate all CRDs diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index dd9ad92d946e..c0d83d80e851 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright The Kubernetes Authors. @@ -612,7 +611,8 @@ func (in ImageExtractorConfigs) DeepCopyInto(out *ImageExtractorConfigs) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make([]ImageExtractorConfig, len(*in)) copy(*out, *in) } @@ -1111,7 +1111,8 @@ func (in *Rule) DeepCopyInto(out *Rule) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make([]ImageExtractorConfig, len(*in)) copy(*out, *in) } diff --git a/api/kyverno/v1alpha2/zz_generated.deepcopy.go b/api/kyverno/v1alpha2/zz_generated.deepcopy.go index 668fe7a4cddd..89a2c142f635 100644 --- a/api/kyverno/v1alpha2/zz_generated.deepcopy.go +++ b/api/kyverno/v1alpha2/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright The Kubernetes Authors. diff --git a/api/kyverno/v1beta1/zz_generated.deepcopy.go b/api/kyverno/v1beta1/zz_generated.deepcopy.go index ed4f1b2fd291..94b453a65ce2 100644 --- a/api/kyverno/v1beta1/zz_generated.deepcopy.go +++ b/api/kyverno/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright The Kubernetes Authors. diff --git a/api/kyverno/v2alpha1/zz_generated.deepcopy.go b/api/kyverno/v2alpha1/zz_generated.deepcopy.go index 7a1fb2b4c897..0ba8e6b1294d 100644 --- a/api/kyverno/v2alpha1/zz_generated.deepcopy.go +++ b/api/kyverno/v2alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright The Kubernetes Authors. diff --git a/api/kyverno/v2beta1/zz_generated.deepcopy.go b/api/kyverno/v2beta1/zz_generated.deepcopy.go index 4c50dc311aad..2944a2195fbd 100755 --- a/api/kyverno/v2beta1/zz_generated.deepcopy.go +++ b/api/kyverno/v2beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright The Kubernetes Authors. @@ -393,7 +392,8 @@ func (in *Rule) DeepCopyInto(out *Rule) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make([]v1.ImageExtractorConfig, len(*in)) copy(*out, *in) } diff --git a/api/policyreport/v1alpha2/zz_generated.deepcopy.go b/api/policyreport/v1alpha2/zz_generated.deepcopy.go index 366791c030f0..4d421cf17a5c 100644 --- a/api/policyreport/v1alpha2/zz_generated.deepcopy.go +++ b/api/policyreport/v1alpha2/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright The Kubernetes Authors. diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 88478e133567..2bfa820d95e7 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -319,6 +319,7 @@ The chart values are organised per component. | admissionController.rbac.create | bool | `true` | Create RBAC resources | | admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name | | admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| admissionController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | | admissionController.replicas | int | `nil` | Desired number of pods | @@ -403,6 +404,7 @@ The chart values are organised per component. | backgroundController.rbac.create | bool | `true` | Create RBAC resources | | backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name | | backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| backgroundController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | backgroundController.image.registry | string | `"ghcr.io"` | Image registry | | backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository | @@ -466,6 +468,7 @@ The chart values are organised per component. | cleanupController.rbac.create | bool | `true` | Create RBAC resources | | cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name | | cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| cleanupController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | | cleanupController.image.registry | string | `"ghcr.io"` | Image registry | @@ -537,6 +540,7 @@ The chart values are organised per component. | reportsController.rbac.create | bool | `true` | Create RBAC resources | | reportsController.rbac.serviceAccount.name | string | `nil` | Service account name | | reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | +| reportsController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | reportsController.image.registry | string | `"ghcr.io"` | Image registry | | reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository | diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml index 937eb23039b7..0d87fd81eb33 100644 --- a/charts/kyverno/templates/admission-controller/clusterrole.yaml +++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml @@ -94,14 +94,9 @@ rules: - subjectaccessreviews verbs: - create - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch +{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- with .Values.admissionController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kyverno/templates/background-controller/clusterrole.yaml b/charts/kyverno/templates/background-controller/clusterrole.yaml index a87265367582..291f929f4460 100644 --- a/charts/kyverno/templates/background-controller/clusterrole.yaml +++ b/charts/kyverno/templates/background-controller/clusterrole.yaml @@ -18,14 +18,6 @@ metadata: labels: {{- include "kyverno.background-controller.labels" . | nindent 4 }} rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - kyverno.io resources: @@ -82,6 +74,9 @@ rules: - update - patch - delete +{{- with .Values.backgroundController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- with .Values.backgroundController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml index 349b841dfbcb..1f2dfa09231f 100644 --- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml +++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml @@ -18,14 +18,6 @@ metadata: labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - admissionregistration.k8s.io resources: @@ -87,6 +79,9 @@ rules: - subjectaccessreviews verbs: - create +{{- with .Values.cleanupController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- with .Values.cleanupController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kyverno/templates/crds/crds.yaml b/charts/kyverno/templates/crds/crds.yaml index c76b107e30ce..f4b941e1cde6 100644 --- a/charts/kyverno/templates/crds/crds.yaml +++ b/charts/kyverno/templates/crds/crds.yaml @@ -4,12 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: admissionreports.kyverno.io spec: group: kyverno.io @@ -61,14 +56,19 @@ spec: description: AdmissionReport is the Schema for the AdmissionReports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -82,25 +82,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -132,35 +140,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -172,11 +180,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -184,66 +191,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -282,17 +286,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -341,12 +346,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -403,14 +403,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -439,35 +444,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -479,11 +484,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -491,66 +495,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -589,17 +590,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -646,12 +648,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -679,14 +676,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -698,10 +700,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -712,11 +715,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -734,17 +737,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -755,11 +759,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -777,18 +781,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -809,11 +813,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -821,52 +824,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -878,19 +878,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -910,38 +908,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -953,12 +948,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -973,32 +966,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1027,11 +1016,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1039,52 +1027,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1096,19 +1081,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1128,38 +1111,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1171,12 +1151,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1191,32 +1169,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1228,10 +1202,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -1252,11 +1227,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1264,52 +1238,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1321,19 +1292,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1353,38 +1322,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1396,12 +1362,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1416,32 +1380,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1470,11 +1430,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1482,52 +1441,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1539,19 +1495,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1571,38 +1525,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1614,12 +1565,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1634,32 +1583,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1682,42 +1627,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1731,11 +1676,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1760,12 +1706,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -1818,14 +1759,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1839,25 +1785,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -1889,35 +1843,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1929,11 +1883,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1941,66 +1894,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -2039,17 +1989,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -2098,12 +2049,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -2160,14 +2106,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2196,35 +2147,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2236,11 +2187,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2248,66 +2198,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -2346,17 +2293,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -2403,12 +2351,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -2436,14 +2379,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2455,10 +2403,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -2469,11 +2418,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2491,17 +2440,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -2512,11 +2462,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2534,18 +2484,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -2566,11 +2516,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2578,52 +2527,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2635,19 +2581,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2667,38 +2611,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2710,12 +2651,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2730,32 +2669,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2784,11 +2719,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2796,52 +2730,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2853,19 +2784,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2885,38 +2814,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2928,12 +2854,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2948,32 +2872,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2985,10 +2905,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -3009,11 +2930,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3021,52 +2941,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3078,19 +2995,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -3110,38 +3025,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3153,12 +3065,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3173,32 +3083,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3227,11 +3133,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3239,52 +3144,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3296,19 +3198,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -3328,38 +3228,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3371,12 +3268,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3391,32 +3286,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3439,42 +3330,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -3488,11 +3379,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -3517,12 +3409,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -3580,14 +3467,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3595,68 +3487,68 @@ spec: description: Spec declares policy behaviors. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -3678,13 +3570,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -3699,22 +3590,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -3731,17 +3624,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -3754,13 +3650,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -3770,10 +3667,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -3795,11 +3692,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3807,58 +3703,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3871,20 +3758,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -3904,42 +3788,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3952,12 +3829,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3972,32 +3847,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -4028,11 +3898,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4040,58 +3909,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4104,20 +3964,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4137,42 +3994,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4185,12 +4035,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4205,32 +4053,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -4248,20 +4091,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4269,52 +4111,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4326,19 +4165,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4358,38 +4195,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4401,12 +4235,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4421,32 +4253,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4462,10 +4290,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -4487,34 +4315,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4526,21 +4353,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -4552,12 +4377,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -4565,50 +4389,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -4630,11 +4451,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4642,58 +4462,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4706,20 +4517,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4739,42 +4547,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4787,12 +4588,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4807,32 +4606,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -4863,11 +4657,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4875,58 +4668,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4939,20 +4723,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4972,42 +4753,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5020,12 +4794,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5040,32 +4812,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -5083,20 +4850,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5104,52 +4870,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5161,19 +4924,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5193,38 +4954,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5236,12 +4994,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5256,32 +5012,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5307,15 +5059,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -5337,14 +5088,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5359,25 +5108,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -5395,20 +5143,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5421,15 +5169,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -5442,42 +5189,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -5491,13 +5237,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5517,20 +5261,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -5544,13 +5286,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5570,10 +5310,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5582,14 +5321,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -5605,15 +5345,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -5635,14 +5374,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5657,25 +5394,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -5693,20 +5429,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5719,15 +5455,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -5746,13 +5481,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5763,31 +5497,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -5801,23 +5535,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -5839,14 +5572,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5861,25 +5592,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -5897,20 +5627,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5923,15 +5653,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -5945,47 +5674,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -5999,13 +5724,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6025,20 +5748,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6052,13 +5773,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6078,10 +5797,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6103,31 +5821,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -6148,12 +5860,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6165,8 +5875,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -6181,14 +5891,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6199,10 +5905,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -6215,36 +5920,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6279,12 +5974,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -6325,9 +6017,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -6339,9 +6031,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -6351,8 +6043,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -6371,13 +6064,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -6386,19 +6077,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -6416,37 +6106,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain other - key-value pairs. Deprecated. Use annotations per Attestor - instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -6454,31 +6144,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -6499,13 +6183,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6517,9 +6198,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -6533,15 +6214,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6552,10 +6228,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -6568,40 +6243,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6637,37 +6298,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6682,14 +6336,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6709,20 +6360,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6737,14 +6386,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6764,10 +6410,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6787,29 +6432,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -6830,12 +6471,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -6847,8 +6486,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -6863,13 +6502,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -6880,10 +6516,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -6896,35 +6531,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -6959,54 +6585,50 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used for - keyless signing. Deprecated. Use KeylessAttestor instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that the - image or attestation is signed with. Deprecated. Use - StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -7015,19 +6637,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. Use - KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -7044,17 +6666,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -7062,9 +6684,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -7077,34 +6699,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7116,11 +6738,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7131,11 +6752,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -7149,24 +6769,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -7188,13 +6807,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7209,23 +6827,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -7242,19 +6861,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7267,14 +6887,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -7284,11 +6904,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -7310,10 +6929,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -7322,60 +6940,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7388,20 +6995,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7422,44 +7026,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7472,12 +7067,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7492,36 +7085,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -7551,10 +7136,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -7563,60 +7147,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7629,20 +7202,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7663,44 +7233,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7713,12 +7274,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7733,36 +7292,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -7779,21 +7330,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7801,57 +7350,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7864,20 +7405,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7897,42 +7435,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7945,12 +7476,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7965,32 +7494,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8006,11 +7531,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -8034,37 +7558,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8077,22 +7597,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -8104,11 +7621,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -8117,50 +7633,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -8183,10 +7695,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -8195,60 +7706,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8261,20 +7761,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8295,44 +7792,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8345,12 +7833,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8365,36 +7851,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8424,10 +7902,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -8436,60 +7913,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8502,20 +7968,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8536,44 +7999,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8586,12 +8040,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8606,36 +8058,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8652,21 +8096,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -8674,57 +8116,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8737,20 +8171,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8770,42 +8201,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8818,12 +8242,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8838,32 +8260,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8890,16 +8308,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -8922,15 +8338,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8945,25 +8358,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -8983,21 +8394,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9011,15 +8421,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -9034,43 +8443,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9085,14 +8492,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9112,20 +8516,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9140,14 +8542,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9167,10 +8566,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9179,14 +8577,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -9202,16 +8601,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -9234,15 +8631,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9257,25 +8651,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -9295,21 +8687,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9323,15 +8714,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -9351,14 +8741,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9369,32 +8757,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -9409,24 +8796,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -9449,15 +8834,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9472,25 +8854,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -9510,21 +8890,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9538,15 +8917,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -9561,48 +8939,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9617,14 +8991,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9644,20 +9015,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9672,14 +9041,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9699,10 +9065,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9725,31 +9090,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -9770,13 +9129,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -9788,9 +9144,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -9804,15 +9160,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -9823,10 +9174,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -9839,40 +9189,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -9908,12 +9244,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -9954,10 +9287,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -9969,9 +9301,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -9981,9 +9313,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -10002,14 +9334,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -10018,19 +9347,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -10048,38 +9376,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -10087,33 +9414,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -10136,14 +9455,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -10156,9 +9471,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -10172,16 +9487,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -10193,11 +9502,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -10211,43 +9518,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -10286,40 +9576,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10334,14 +9614,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10361,21 +9638,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10390,14 +9664,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10417,10 +9688,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10440,31 +9710,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -10485,12 +9749,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10502,8 +9764,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -10518,14 +9780,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10536,10 +9794,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -10552,38 +9809,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10619,56 +9864,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -10677,19 +9916,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -10711,42 +9950,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -10760,11 +9999,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -10777,8 +10017,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy @@ -10854,14 +10095,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -10869,67 +10115,67 @@ spec: description: Spec declares policy behaviors. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -10951,13 +10197,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10972,22 +10217,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11004,17 +10251,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11027,13 +10277,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -11043,10 +10294,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -11068,11 +10319,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11080,58 +10330,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11144,20 +10385,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11177,42 +10415,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11225,12 +10456,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11245,32 +10474,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -11301,11 +10525,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11313,58 +10536,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11377,20 +10591,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11410,42 +10621,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11458,12 +10662,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11478,32 +10680,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -11522,10 +10719,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -11547,34 +10744,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11586,21 +10782,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -11612,12 +10806,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -11625,50 +10818,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -11690,11 +10880,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11702,58 +10891,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11766,20 +10946,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11799,42 +10976,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11847,12 +11017,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11867,32 +11035,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -11923,11 +11086,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11935,58 +11097,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11999,20 +11152,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12032,42 +11182,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12080,12 +11223,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12100,32 +11241,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -12154,15 +11290,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -12184,14 +11319,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12206,25 +11339,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -12242,20 +11374,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12268,15 +11400,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -12289,42 +11420,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12338,13 +11468,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12364,20 +11492,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12391,13 +11517,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12417,10 +11541,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12429,14 +11552,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -12452,15 +11576,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -12482,14 +11605,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12504,25 +11625,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -12540,20 +11660,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12566,15 +11686,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -12593,13 +11712,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12610,18 +11728,18 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -12632,11 +11750,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12654,18 +11772,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -12676,11 +11794,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12698,9 +11816,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12709,25 +11827,25 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -12740,13 +11858,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12764,17 +11880,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -12787,13 +11903,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12811,9 +11925,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12830,23 +11944,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -12868,14 +11981,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12890,25 +12001,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -12926,20 +12036,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12952,15 +12062,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -12974,47 +12083,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13028,13 +12133,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13054,20 +12157,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13081,13 +12182,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13107,10 +12206,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13132,31 +12230,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -13177,12 +12269,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13194,8 +12284,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13210,14 +12300,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13228,10 +12314,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -13244,36 +12329,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13308,12 +12383,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -13354,9 +12426,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -13368,9 +12440,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -13380,8 +12452,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -13400,13 +12473,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13415,19 +12486,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -13445,22 +12515,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -13468,31 +12537,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -13513,13 +12576,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13531,9 +12591,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -13547,15 +12607,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13566,10 +12621,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -13582,40 +12636,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13651,37 +12691,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13696,14 +12729,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13723,20 +12753,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13751,14 +12779,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13778,10 +12803,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13801,29 +12825,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -13844,12 +12864,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -13861,8 +12879,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13877,13 +12895,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -13894,10 +12909,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -13910,35 +12924,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -13973,39 +12978,34 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -14014,9 +13014,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -14033,17 +13033,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -14051,9 +13051,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -14066,34 +13066,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -14105,11 +13105,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14120,11 +13119,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -14138,24 +13136,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -14177,13 +13174,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -14198,23 +13194,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -14231,19 +13228,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -14256,14 +13254,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -14273,11 +13271,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -14299,10 +13296,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14311,60 +13307,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14377,20 +13362,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14411,44 +13393,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14461,12 +13434,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14481,36 +13452,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14540,10 +13503,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14552,60 +13514,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14618,20 +13569,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14652,44 +13600,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14702,12 +13641,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14722,36 +13659,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14768,21 +13697,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -14790,57 +13717,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14853,20 +13772,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14886,42 +13802,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14934,12 +13843,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14954,32 +13861,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14995,11 +13898,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -15023,37 +13925,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15066,22 +13964,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -15093,11 +13988,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -15106,50 +14000,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -15172,10 +14062,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -15184,60 +14073,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15250,20 +14128,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15284,44 +14159,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15334,12 +14200,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15354,36 +14218,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15413,10 +14269,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -15425,60 +14280,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15491,20 +14335,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15525,44 +14366,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15575,12 +14407,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15595,36 +14425,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15641,21 +14463,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15663,57 +14483,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15726,20 +14538,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15759,42 +14568,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15807,12 +14609,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15827,32 +14627,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15879,16 +14675,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15911,15 +14705,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15934,25 +14725,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15972,21 +14761,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16000,15 +14788,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16023,43 +14810,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16074,14 +14859,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16101,20 +14883,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16129,14 +14909,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16156,10 +14933,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16168,14 +14944,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -16191,16 +14968,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16223,15 +14998,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16246,25 +15018,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16284,21 +15054,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16312,15 +15081,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16340,14 +15108,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16358,32 +15124,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -16398,24 +15163,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16438,15 +15201,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16461,25 +15221,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16499,21 +15257,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16527,15 +15284,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16550,48 +15306,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16606,14 +15358,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16633,20 +15382,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16661,14 +15408,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16688,10 +15432,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16714,31 +15457,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -16759,13 +15496,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -16777,9 +15511,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -16793,15 +15527,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -16812,10 +15541,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -16828,40 +15556,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -16897,12 +15611,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -16943,10 +15654,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -16958,9 +15668,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -16970,9 +15680,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -16991,14 +15701,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -17007,19 +15714,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -17037,38 +15743,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -17076,33 +15781,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -17125,14 +15822,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -17145,9 +15838,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -17161,16 +15854,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -17182,11 +15869,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -17200,43 +15885,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -17275,40 +15943,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17323,14 +15981,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17350,21 +16005,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17379,14 +16031,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17406,10 +16055,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17429,31 +16077,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -17474,12 +16116,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -17491,8 +16131,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -17507,14 +16147,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -17525,10 +16161,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17541,38 +16176,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -17608,56 +16231,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -17666,19 +16283,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -17700,42 +16317,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -17749,11 +16366,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -17766,8 +16384,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy @@ -17805,12 +16424,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -17864,19 +16478,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -17884,68 +16503,68 @@ spec: description: Spec defines policy behaviors and contains one or more rules. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -17967,13 +16586,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -17988,22 +16606,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -18020,17 +16640,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -18043,13 +16666,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -18059,10 +16683,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -18084,11 +16708,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -18096,58 +16719,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18160,20 +16774,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -18193,42 +16804,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18241,12 +16845,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -18261,32 +16863,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -18317,11 +16914,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -18329,58 +16925,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18393,20 +16980,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -18426,42 +17010,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18474,12 +17051,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -18494,32 +17069,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -18537,20 +17107,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -18558,52 +17127,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -18615,19 +17181,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -18647,38 +17211,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -18690,12 +17251,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -18710,32 +17269,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -18751,10 +17306,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -18776,34 +17331,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -18815,21 +17369,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -18841,12 +17393,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -18854,50 +17405,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -18919,11 +17467,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -18931,58 +17478,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18995,20 +17533,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -19028,42 +17563,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -19076,12 +17604,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -19096,32 +17622,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -19152,11 +17673,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -19164,58 +17684,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -19228,20 +17739,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -19261,42 +17769,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -19309,12 +17810,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -19329,32 +17828,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -19372,20 +17866,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -19393,52 +17886,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -19450,19 +17940,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -19482,38 +17970,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -19525,12 +18010,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -19545,32 +18028,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -19596,15 +18075,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -19626,14 +18104,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -19648,25 +18124,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -19684,20 +18159,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -19710,15 +18185,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -19731,42 +18205,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19780,13 +18253,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -19806,20 +18277,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19833,13 +18302,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -19859,10 +18326,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -19871,14 +18337,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -19894,15 +18361,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -19924,14 +18390,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -19946,25 +18410,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -19982,20 +18445,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -20008,15 +18471,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -20035,13 +18497,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -20052,31 +18513,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -20090,23 +18551,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -20128,14 +18588,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -20150,25 +18608,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -20186,20 +18643,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -20212,15 +18669,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -20234,47 +18690,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -20288,13 +18740,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -20314,20 +18764,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -20341,13 +18789,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -20367,10 +18813,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -20392,31 +18837,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -20437,12 +18876,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -20454,8 +18891,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -20470,14 +18907,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -20488,10 +18921,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -20504,36 +18936,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -20568,12 +18990,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -20614,9 +19033,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -20628,9 +19047,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -20640,8 +19059,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -20660,13 +19080,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -20675,19 +19093,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -20705,37 +19122,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain other - key-value pairs. Deprecated. Use annotations per Attestor - instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -20743,31 +19160,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -20788,13 +19199,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -20806,9 +19214,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -20822,15 +19230,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -20841,10 +19244,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -20857,40 +19259,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -20926,37 +19314,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -20971,14 +19352,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -20998,20 +19376,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -21026,14 +19402,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -21053,10 +19426,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -21076,29 +19448,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -21119,12 +19487,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -21136,8 +19502,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -21152,13 +19518,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -21169,10 +19532,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -21185,35 +19547,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -21248,54 +19601,50 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used for - keyless signing. Deprecated. Use KeylessAttestor instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that the - image or attestation is signed with. Deprecated. Use - StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -21304,19 +19653,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. Use - KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -21333,17 +19682,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -21351,9 +19700,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -21366,34 +19715,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -21405,11 +19754,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21420,17 +19768,17 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object status: - description: Status contains policy runtime information. Deprecated. Policy - metrics are available via the metrics endpoint + description: |- + Status contains policy runtime information. + Deprecated. Policy metrics are available via the metrics endpoint properties: autogen: description: Autogen contains autogen status information @@ -21439,24 +19787,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -21478,13 +19825,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -21499,23 +19845,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -21532,19 +19879,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -21557,14 +19905,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -21574,11 +19922,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -21600,10 +19947,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -21612,60 +19958,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21678,20 +20013,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21712,44 +20044,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21762,12 +20085,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21782,36 +20103,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21841,10 +20154,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -21853,60 +20165,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21919,20 +20220,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21953,44 +20251,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22003,12 +20292,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -22023,36 +20310,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -22069,21 +20348,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -22091,57 +20368,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22154,20 +20423,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -22187,42 +20453,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22235,12 +20494,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -22255,32 +20512,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -22296,11 +20549,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -22324,37 +20576,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22367,22 +20615,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -22394,11 +20639,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -22407,50 +20651,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -22473,10 +20713,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -22485,60 +20724,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22551,20 +20779,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -22585,44 +20810,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22635,12 +20851,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -22655,36 +20869,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -22714,10 +20920,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -22726,60 +20931,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22792,20 +20986,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -22826,44 +21017,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22876,12 +21058,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -22896,36 +21076,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -22942,21 +21114,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -22964,57 +21134,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -23027,20 +21189,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -23060,42 +21219,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -23108,12 +21260,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -23128,32 +21278,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -23180,16 +21326,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -23212,15 +21356,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -23235,25 +21376,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -23273,21 +21412,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -23301,15 +21439,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -23324,43 +21461,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23375,14 +21510,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23402,20 +21534,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23430,14 +21560,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23457,10 +21584,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -23469,14 +21595,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -23492,16 +21619,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -23524,15 +21649,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -23547,25 +21669,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -23585,21 +21705,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -23613,15 +21732,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -23641,14 +21759,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -23659,32 +21775,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -23699,24 +21814,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -23739,15 +21852,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -23762,25 +21872,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -23800,21 +21908,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -23828,15 +21935,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -23851,48 +21957,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23907,14 +22009,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23934,20 +22033,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23962,14 +22059,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23989,10 +22083,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -24015,31 +22108,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -24060,13 +22147,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -24078,9 +22162,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -24094,15 +22178,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -24113,10 +22192,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -24129,40 +22207,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -24198,12 +22262,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -24244,10 +22305,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -24259,9 +22319,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -24271,9 +22331,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -24292,14 +22352,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -24308,19 +22365,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -24338,38 +22394,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -24377,33 +22432,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -24426,14 +22473,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -24446,9 +22489,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -24462,16 +22505,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -24483,11 +22520,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -24501,43 +22536,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -24576,40 +22594,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -24624,14 +22632,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -24651,21 +22656,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -24680,14 +22682,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -24707,10 +22706,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -24730,31 +22728,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -24775,12 +22767,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -24792,8 +22782,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -24808,14 +22798,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -24826,10 +22812,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -24842,38 +22827,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -24909,56 +22882,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -24967,19 +22934,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -25001,42 +22968,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -25050,11 +23017,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -25067,8 +23035,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy @@ -25140,19 +23109,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -25160,67 +23134,67 @@ spec: description: Spec defines policy behaviors and contains one or more rules. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -25242,13 +23216,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -25263,22 +23236,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -25295,17 +23270,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -25318,13 +23296,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -25334,10 +23313,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -25359,11 +23338,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25371,58 +23349,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25435,20 +23404,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25468,42 +23434,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25516,12 +23475,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25536,32 +23493,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25592,11 +23544,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25604,58 +23555,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25668,20 +23610,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25701,42 +23640,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25749,12 +23681,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25769,32 +23699,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25813,10 +23738,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -25838,34 +23763,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25877,21 +23801,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -25903,12 +23825,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -25916,50 +23837,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -25981,11 +23899,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25993,58 +23910,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26057,20 +23965,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -26090,42 +23995,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26138,12 +24036,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -26158,32 +24054,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26214,11 +24105,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -26226,58 +24116,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26290,20 +24171,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -26323,42 +24201,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26371,12 +24242,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -26391,32 +24260,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26445,15 +24309,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26475,14 +24338,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26497,25 +24358,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26533,20 +24393,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26559,15 +24419,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26580,42 +24439,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26629,13 +24487,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26655,20 +24511,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26682,13 +24536,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26708,10 +24560,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -26720,14 +24571,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -26743,15 +24595,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26773,14 +24624,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26795,25 +24644,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26831,20 +24679,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26857,15 +24705,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26884,13 +24731,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -26901,18 +24747,18 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -26923,11 +24769,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26945,18 +24791,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -26967,11 +24813,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26989,9 +24835,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27000,25 +24846,25 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -27031,13 +24877,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27055,17 +24899,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -27078,13 +24922,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27102,9 +24944,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27121,23 +24963,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -27159,14 +25000,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -27181,25 +25020,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -27217,20 +25055,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -27243,15 +25081,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -27265,47 +25102,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27319,13 +25152,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27345,20 +25176,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27372,13 +25201,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27398,10 +25225,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27423,31 +25249,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -27468,12 +25288,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -27485,8 +25303,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -27501,14 +25319,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -27519,10 +25333,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -27535,36 +25348,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -27599,12 +25402,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -27645,9 +25445,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -27659,9 +25459,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -27671,8 +25471,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -27691,13 +25492,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -27706,19 +25505,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -27736,22 +25534,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -27759,31 +25556,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -27804,13 +25595,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -27822,9 +25610,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -27838,15 +25626,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -27857,10 +25640,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -27873,40 +25655,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -27942,37 +25710,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27987,14 +25748,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28014,20 +25772,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28042,14 +25798,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28069,10 +25822,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -28092,29 +25844,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -28135,12 +25883,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -28152,8 +25898,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -28168,13 +25914,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -28185,10 +25928,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -28201,35 +25943,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -28264,39 +25997,34 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -28305,9 +26033,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -28324,17 +26052,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -28342,9 +26070,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -28357,34 +26085,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -28396,11 +26124,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -28411,11 +26138,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -28429,24 +26155,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -28468,13 +26193,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -28489,23 +26213,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -28522,19 +26247,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -28547,14 +26273,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -28564,11 +26290,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -28590,10 +26315,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -28602,60 +26326,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -28668,20 +26381,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -28702,44 +26412,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -28752,12 +26453,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -28772,36 +26471,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -28831,10 +26522,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -28843,60 +26533,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -28909,20 +26588,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -28943,44 +26619,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -28993,12 +26660,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29013,36 +26678,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29059,21 +26716,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -29081,57 +26736,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29144,20 +26791,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29177,42 +26821,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29225,12 +26862,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29245,32 +26880,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29286,11 +26917,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -29314,37 +26944,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29357,22 +26983,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -29384,11 +27007,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -29397,50 +27019,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -29463,10 +27081,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29475,60 +27092,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29541,20 +27147,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29575,44 +27178,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29625,12 +27219,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29645,36 +27237,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29704,10 +27288,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29716,60 +27299,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29782,20 +27354,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29816,44 +27385,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29866,12 +27426,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29886,36 +27444,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29932,21 +27482,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -29954,57 +27502,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30017,20 +27557,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30050,42 +27587,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30098,12 +27628,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30118,32 +27646,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30170,16 +27694,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -30202,15 +27724,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -30225,25 +27744,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -30263,21 +27780,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -30291,15 +27807,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -30314,43 +27829,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -30365,14 +27878,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -30392,20 +27902,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -30420,14 +27928,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -30447,10 +27952,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -30459,14 +27963,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -30482,16 +27987,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -30514,15 +28017,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -30537,25 +28037,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -30575,21 +28073,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -30603,15 +28100,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -30631,14 +28127,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -30649,32 +28143,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -30689,24 +28182,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -30729,15 +28220,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -30752,25 +28240,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -30790,21 +28276,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -30818,15 +28303,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -30841,48 +28325,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -30897,14 +28377,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -30924,20 +28401,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -30952,14 +28427,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -30979,10 +28451,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -31005,31 +28476,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -31050,13 +28515,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -31068,9 +28530,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -31084,15 +28546,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -31103,10 +28560,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -31119,40 +28575,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -31188,12 +28630,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -31234,10 +28673,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -31249,9 +28687,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -31261,9 +28699,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -31282,14 +28720,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -31298,19 +28733,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -31328,38 +28762,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -31367,33 +28800,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -31416,14 +28841,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -31436,9 +28857,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -31452,16 +28873,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -31473,11 +28888,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -31491,43 +28904,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -31566,40 +28962,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31614,14 +29000,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31641,21 +29024,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31670,14 +29050,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31697,10 +29074,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -31720,31 +29096,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -31765,12 +29135,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -31782,8 +29150,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -31798,14 +29166,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -31816,10 +29180,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -31832,38 +29195,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -31899,56 +29250,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -31957,19 +29302,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -31991,42 +29336,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -32040,11 +29385,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -32057,8 +29403,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy @@ -32096,12 +29443,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -32123,14 +29465,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -32138,11 +29485,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -32150,9 +29496,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -32188,11 +29535,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -32200,52 +29546,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -32257,19 +29600,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -32289,38 +29630,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -32332,12 +29670,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -32352,32 +29688,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -32406,11 +29738,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -32418,52 +29749,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -32475,19 +29803,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -32507,38 +29833,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -32550,12 +29873,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -32570,32 +29891,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -32620,12 +29937,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -32669,14 +29981,19 @@ spec: in background. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -32695,9 +30012,9 @@ spec: for the admission request. properties: dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. type: boolean kind: description: Kind is the fully-qualified type of object @@ -32715,10 +30032,9 @@ spec: - version type: object name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. type: string namespace: description: Namespace is the namespace associated with @@ -32734,38 +30050,33 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. type: string options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. type: object x-kubernetes-preserve-unknown-fields: true requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: type: string @@ -32779,22 +30090,19 @@ spec: - version type: object requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: type: string @@ -32808,12 +30116,10 @@ spec: - version type: object requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. type: string resource: description: Resource is the fully-qualified resource @@ -32835,14 +30141,11 @@ spec: if any (for example, "status" or "scale") type: string uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. type: string userInfo: description: UserInfo is information about the requesting @@ -32865,10 +30168,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this @@ -32924,10 +30227,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this user @@ -32970,8 +30273,9 @@ spec: description: Rule is the associate rule name of the current UR. type: string synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. type: boolean required: - context @@ -32984,8 +30288,9 @@ spec: description: Status contains statistics related to update request. properties: generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. items: properties: apiVersion: @@ -33003,7 +30308,8 @@ spec: type: object type: array handler: - description: Handler represents the instance ID that handles the UR + description: |- + Handler represents the instance ID that handles the UR Deprecated type: string message: @@ -33025,12 +30331,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -33077,14 +30378,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33111,35 +30417,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -33151,11 +30457,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -33163,63 +30468,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -33257,15 +30562,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -33286,61 +30592,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -33352,10 +30668,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -33392,12 +30708,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} + controller-gen.kubebuilder.io/version: v0.14.0 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -33443,14 +30754,19 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33477,35 +30793,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -33517,11 +30833,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -33529,63 +30844,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -33623,15 +30938,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -33652,61 +30968,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -33718,10 +31044,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic diff --git a/charts/kyverno/templates/reports-controller/clusterrole.yaml b/charts/kyverno/templates/reports-controller/clusterrole.yaml index 14010466caa0..482fd31dbc02 100644 --- a/charts/kyverno/templates/reports-controller/clusterrole.yaml +++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml @@ -18,14 +18,6 @@ metadata: labels: {{- include "kyverno.reports-controller.labels" . | nindent 4 }} rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - kyverno.io resources: @@ -66,6 +58,9 @@ rules: verbs: - create - patch +{{- with .Values.reportsController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- with .Values.reportsController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 6c95eaeaedab..012f221ff0d1 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -570,6 +570,20 @@ admissionController: annotations: {} # example.com/annotation: value + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -907,6 +921,20 @@ backgroundController: annotations: {} # example.com/annotation: value + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -1126,6 +1154,20 @@ cleanupController: annotations: {} # example.com/annotation: value + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -1398,6 +1440,20 @@ reportsController: annotations: {} # example.com/annotation: value + coreClusterRole: + # -- Extra resource permissions to add in the core cluster role. + # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. + # @default -- See [values.yaml](values.yaml) + extraResources: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] diff --git a/config/crds/kyverno.io_admissionreports.yaml b/config/crds/kyverno.io_admissionreports.yaml index a28425030104..6521c020b934 100644 --- a/config/crds/kyverno.io_admissionreports.yaml +++ b/config/crds/kyverno.io_admissionreports.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: admissionreports.kyverno.io spec: group: kyverno.io @@ -56,14 +55,19 @@ spec: description: AdmissionReport is the Schema for the AdmissionReports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -77,25 +81,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -127,35 +139,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -167,11 +179,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -179,66 +190,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -277,17 +285,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_backgroundscanreports.yaml b/config/crds/kyverno.io_backgroundscanreports.yaml index fd558d2e6c2f..e2e90287ab5e 100644 --- a/config/crds/kyverno.io_backgroundscanreports.yaml +++ b/config/crds/kyverno.io_backgroundscanreports.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -61,14 +60,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -97,35 +101,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -137,11 +141,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -149,66 +152,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -247,17 +247,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_cleanuppolicies.yaml b/config/crds/kyverno.io_cleanuppolicies.yaml index f760304fd0df..77250fb8c8bc 100644 --- a/config/crds/kyverno.io_cleanuppolicies.yaml +++ b/config/crds/kyverno.io_cleanuppolicies.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -32,14 +31,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,10 +55,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -65,11 +70,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -87,17 +92,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -108,11 +114,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -130,18 +136,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -162,11 +168,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -174,52 +179,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -231,19 +233,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -263,38 +263,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -306,12 +303,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -326,32 +321,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -380,11 +371,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -392,52 +382,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -449,19 +436,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -481,38 +466,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -524,12 +506,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -544,32 +524,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -581,10 +557,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -605,11 +582,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -617,52 +593,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -674,19 +647,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -706,38 +677,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -749,12 +717,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -769,32 +735,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -823,11 +785,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -835,52 +796,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -892,19 +850,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -924,38 +880,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -967,12 +920,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -987,32 +938,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1035,42 +982,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1084,11 +1031,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crds/kyverno.io_clusteradmissionreports.yaml b/config/crds/kyverno.io_clusteradmissionreports.yaml index dc19faa07d17..2a65914aa3cf 100644 --- a/config/crds/kyverno.io_clusteradmissionreports.yaml +++ b/config/crds/kyverno.io_clusteradmissionreports.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -57,14 +56,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -78,25 +82,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -128,35 +140,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -168,11 +180,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -180,66 +191,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -278,17 +286,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_clusterbackgroundscanreports.yaml b/config/crds/kyverno.io_clusterbackgroundscanreports.yaml index 43a4ae251400..e729d04ef3d1 100644 --- a/config/crds/kyverno.io_clusterbackgroundscanreports.yaml +++ b/config/crds/kyverno.io_clusterbackgroundscanreports.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -61,14 +60,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -97,35 +101,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -137,11 +141,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -149,66 +152,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -247,17 +247,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_clustercleanuppolicies.yaml b/config/crds/kyverno.io_clustercleanuppolicies.yaml index 3a9bfb028aab..3ac9d00b008e 100644 --- a/config/crds/kyverno.io_clustercleanuppolicies.yaml +++ b/config/crds/kyverno.io_clustercleanuppolicies.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -32,14 +31,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,10 +55,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -65,11 +70,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -87,17 +92,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -108,11 +114,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -130,18 +136,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -162,11 +168,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -174,52 +179,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -231,19 +233,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -263,38 +263,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -306,12 +303,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -326,32 +321,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -380,11 +371,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -392,52 +382,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -449,19 +436,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -481,38 +466,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -524,12 +506,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -544,32 +524,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -581,10 +557,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -605,11 +582,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -617,52 +593,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -674,19 +647,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -706,38 +677,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -749,12 +717,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -769,32 +735,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -823,11 +785,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -835,52 +796,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -892,19 +850,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -924,38 +880,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -967,12 +920,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -987,32 +938,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1035,42 +982,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1084,11 +1031,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 0c85e4fed2cc..005304d810c4 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -62,14 +61,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -77,68 +81,68 @@ spec: description: Spec declares policy behaviors. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -160,13 +164,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -181,22 +184,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -213,17 +218,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -236,13 +244,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -252,10 +261,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -277,11 +286,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -289,58 +297,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -353,20 +352,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -386,42 +382,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -434,12 +423,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -454,32 +441,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -510,11 +492,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -522,58 +503,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -586,20 +558,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -619,42 +588,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -667,12 +629,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -687,32 +647,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -730,20 +685,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -751,52 +705,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -808,19 +759,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -840,38 +789,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -883,12 +829,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -903,32 +847,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -944,10 +884,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -969,34 +909,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1008,21 +947,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1034,12 +971,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -1047,50 +983,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -1112,11 +1045,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1124,58 +1056,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1188,20 +1111,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1221,42 +1141,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1269,12 +1182,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1289,32 +1200,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1345,11 +1251,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1357,58 +1262,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1421,20 +1317,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1454,42 +1347,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1502,12 +1388,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1522,32 +1406,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1565,20 +1444,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1586,52 +1464,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1643,19 +1518,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1675,38 +1548,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1718,12 +1588,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1738,32 +1606,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1789,15 +1653,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -1819,14 +1682,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1841,25 +1702,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1877,20 +1737,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -1903,15 +1763,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -1924,42 +1783,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -1973,13 +1831,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1999,20 +1855,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2026,13 +1880,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2052,10 +1904,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2064,14 +1915,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -2087,15 +1939,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2117,14 +1968,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2139,25 +1988,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2175,20 +2023,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2201,15 +2049,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2228,13 +2075,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2245,31 +2091,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -2283,23 +2129,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2321,14 +2166,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2343,25 +2186,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2379,20 +2221,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2405,15 +2247,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2427,47 +2268,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2481,13 +2318,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2507,20 +2342,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2534,13 +2367,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2560,10 +2391,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2585,31 +2415,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -2630,12 +2454,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -2647,8 +2469,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -2663,14 +2485,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -2681,10 +2499,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -2697,36 +2514,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -2761,12 +2568,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -2807,9 +2611,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -2821,9 +2625,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -2833,8 +2637,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -2853,13 +2658,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -2868,19 +2671,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -2898,37 +2700,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain other - key-value pairs. Deprecated. Use annotations per Attestor - instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -2936,31 +2738,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -2981,13 +2777,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -2999,9 +2792,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -3015,15 +2808,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -3034,10 +2822,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3050,40 +2837,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -3119,37 +2892,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3164,14 +2930,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3191,20 +2954,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3219,14 +2980,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3246,10 +3004,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3269,29 +3026,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -3312,12 +3065,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -3329,8 +3080,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -3345,13 +3096,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -3362,10 +3110,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -3378,35 +3125,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -3441,54 +3179,50 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used for - keyless signing. Deprecated. Use KeylessAttestor instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that the - image or attestation is signed with. Deprecated. Use - StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -3497,19 +3231,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. Use - KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -3526,17 +3260,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -3544,9 +3278,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -3559,34 +3293,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3598,11 +3332,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3613,11 +3346,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -3631,24 +3363,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -3670,13 +3401,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -3691,23 +3421,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -3724,19 +3455,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -3749,14 +3481,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -3766,11 +3498,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -3792,10 +3523,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -3804,60 +3534,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3870,20 +3589,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -3904,44 +3620,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3954,12 +3661,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3974,36 +3679,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4033,10 +3730,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4045,60 +3741,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4111,20 +3796,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4145,44 +3827,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4195,12 +3868,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4215,36 +3886,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4261,21 +3924,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4283,57 +3944,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4346,20 +3999,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4379,42 +4029,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4427,12 +4070,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4447,32 +4088,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4488,11 +4125,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -4516,37 +4152,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4559,22 +4191,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -4586,11 +4215,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -4599,50 +4227,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -4665,10 +4289,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4677,60 +4300,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4743,20 +4355,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4777,44 +4386,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4827,12 +4427,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4847,36 +4445,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4906,10 +4496,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4918,60 +4507,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4984,20 +4562,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5018,44 +4593,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5068,12 +4634,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5088,36 +4652,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5134,21 +4690,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5156,57 +4710,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5219,20 +4765,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5252,42 +4795,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5300,12 +4836,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5320,32 +4854,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5372,16 +4902,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -5404,15 +4932,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5427,25 +4952,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -5465,21 +4988,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5493,15 +5015,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -5516,43 +5037,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -5567,14 +5086,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5594,20 +5110,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -5622,14 +5136,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5649,10 +5160,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5661,14 +5171,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -5684,16 +5195,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -5716,15 +5225,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5739,25 +5245,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -5777,21 +5281,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5805,15 +5308,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -5833,14 +5335,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5851,32 +5351,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -5891,24 +5390,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -5931,15 +5428,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5954,25 +5448,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -5992,21 +5484,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6020,15 +5511,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6043,48 +5533,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6099,14 +5585,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6126,20 +5609,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6154,14 +5635,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6181,10 +5659,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6207,31 +5684,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -6252,13 +5723,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6270,9 +5738,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -6286,15 +5754,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6305,10 +5768,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -6321,40 +5783,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6390,12 +5838,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -6436,10 +5881,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -6451,9 +5895,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -6463,9 +5907,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -6484,14 +5928,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -6500,19 +5941,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -6530,38 +5970,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -6569,33 +6008,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -6618,14 +6049,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -6638,9 +6065,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -6654,16 +6081,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -6675,11 +6096,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -6693,43 +6112,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -6768,40 +6170,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6816,14 +6208,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6843,21 +6232,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6872,14 +6258,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6899,10 +6282,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6922,31 +6304,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -6967,12 +6343,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6984,8 +6358,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -7000,14 +6374,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -7018,10 +6388,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -7034,38 +6403,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -7101,56 +6458,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -7159,19 +6510,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -7193,42 +6544,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -7242,11 +6593,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -7259,8 +6611,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy @@ -7336,14 +6689,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -7351,67 +6709,67 @@ spec: description: Spec declares policy behaviors. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -7433,13 +6791,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7454,22 +6811,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -7486,17 +6845,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7509,13 +6871,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -7525,10 +6888,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -7550,11 +6913,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7562,58 +6924,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7626,20 +6979,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7659,42 +7009,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7707,12 +7050,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7727,32 +7068,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7783,11 +7119,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7795,58 +7130,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7859,20 +7185,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7892,42 +7215,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7940,12 +7256,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7960,32 +7274,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -8004,10 +7313,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -8029,34 +7338,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8068,21 +7376,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -8094,12 +7400,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -8107,50 +7412,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -8172,11 +7474,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -8184,58 +7485,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8248,20 +7540,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8281,42 +7570,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8329,12 +7611,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8349,32 +7629,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -8405,11 +7680,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -8417,58 +7691,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8481,20 +7746,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8514,42 +7776,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8562,12 +7817,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8582,32 +7835,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -8636,15 +7884,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8666,14 +7913,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8688,25 +7933,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -8724,20 +7968,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -8750,15 +7994,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -8771,42 +8014,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8820,13 +8062,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8846,20 +8086,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8873,13 +8111,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8899,10 +8135,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8911,14 +8146,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -8934,15 +8170,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8964,14 +8199,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8986,25 +8219,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9022,20 +8254,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9048,15 +8280,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -9075,13 +8306,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9092,18 +8322,18 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -9114,11 +8344,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9136,18 +8366,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -9158,11 +8388,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9180,9 +8410,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9191,25 +8421,25 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -9222,13 +8452,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9246,17 +8474,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -9269,13 +8497,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9293,9 +8519,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9312,23 +8538,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -9350,14 +8575,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9372,25 +8595,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9408,20 +8630,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9434,15 +8656,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -9456,47 +8677,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9510,13 +8727,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9536,20 +8751,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9563,13 +8776,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9589,10 +8800,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9614,31 +8824,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -9659,12 +8863,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -9676,8 +8878,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -9692,14 +8894,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -9710,10 +8908,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -9726,36 +8923,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -9790,12 +8977,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -9836,9 +9020,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -9850,9 +9034,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -9862,8 +9046,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -9882,13 +9067,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -9897,19 +9080,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -9927,22 +9109,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -9950,31 +9131,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -9995,13 +9170,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10013,9 +9185,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -10029,15 +9201,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10048,10 +9215,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -10064,40 +9230,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10133,37 +9285,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10178,14 +9323,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10205,20 +9347,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10233,14 +9373,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10260,10 +9397,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10283,29 +9419,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -10326,12 +9458,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -10343,8 +9473,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -10359,13 +9489,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -10376,10 +9503,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -10392,35 +9518,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -10455,39 +9572,34 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -10496,9 +9608,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -10515,17 +9627,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -10533,9 +9645,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -10548,34 +9660,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10587,11 +9699,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10602,11 +9713,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -10620,24 +9730,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -10659,13 +9768,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10680,23 +9788,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10713,19 +9822,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -10738,14 +9848,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -10755,11 +9865,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -10781,10 +9890,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -10793,60 +9901,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10859,20 +9956,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10893,44 +9987,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10943,12 +10028,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10963,36 +10046,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11022,10 +10097,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11034,60 +10108,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11100,20 +10163,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11134,44 +10194,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11184,12 +10235,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11204,36 +10253,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11250,21 +10291,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11272,57 +10311,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11335,20 +10366,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11368,42 +10396,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11416,12 +10437,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11436,32 +10455,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11477,11 +10492,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -11505,37 +10519,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11548,22 +10558,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -11575,11 +10582,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -11588,50 +10594,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -11654,10 +10656,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11666,60 +10667,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11732,20 +10722,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11766,44 +10753,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11816,12 +10794,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11836,36 +10812,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11895,10 +10863,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11907,60 +10874,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11973,20 +10929,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12007,44 +10960,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12057,12 +11001,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12077,36 +11019,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12123,21 +11057,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -12145,57 +11077,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12208,20 +11132,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12241,42 +11162,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12289,12 +11203,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12309,32 +11221,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12361,16 +11269,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -12393,15 +11299,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12416,25 +11319,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -12454,21 +11355,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12482,15 +11382,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -12505,43 +11404,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12556,14 +11453,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12583,20 +11477,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12611,14 +11503,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12638,10 +11527,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12650,14 +11538,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -12673,16 +11562,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -12705,15 +11592,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12728,25 +11612,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -12766,21 +11648,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12794,15 +11675,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -12822,14 +11702,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12840,32 +11718,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -12880,24 +11757,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -12920,15 +11795,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12943,25 +11815,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -12981,21 +11851,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13009,15 +11878,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -13032,48 +11900,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13088,14 +11952,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13115,20 +11976,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13143,14 +12002,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13170,10 +12026,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13196,31 +12051,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -13241,13 +12090,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13259,9 +12105,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -13275,15 +12121,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13294,10 +12135,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -13310,40 +12150,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13379,12 +12205,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -13425,10 +12248,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -13440,9 +12262,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -13452,9 +12274,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -13473,14 +12295,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13489,19 +12308,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -13519,38 +12337,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -13558,33 +12375,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -13607,14 +12416,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -13627,9 +12432,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -13643,16 +12448,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -13664,11 +12463,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -13682,43 +12479,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -13757,40 +12537,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13805,14 +12575,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13832,21 +12599,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13861,14 +12625,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13888,10 +12649,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13911,31 +12671,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -13956,12 +12710,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13973,8 +12725,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13989,14 +12741,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -14007,10 +12755,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -14023,38 +12770,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -14090,56 +12825,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -14148,19 +12877,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -14182,42 +12911,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -14231,11 +12960,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -14248,8 +12978,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index b9f65fa8764d..fbab047904d4 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -58,19 +57,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -78,68 +82,68 @@ spec: description: Spec defines policy behaviors and contains one or more rules. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -161,13 +165,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -182,22 +185,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -214,17 +219,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -237,13 +245,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -253,10 +262,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -278,11 +287,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -290,58 +298,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -354,20 +353,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -387,42 +383,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -435,12 +424,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -455,32 +442,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -511,11 +493,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -523,58 +504,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -587,20 +559,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -620,42 +589,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -668,12 +630,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -688,32 +648,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -731,20 +686,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -752,52 +706,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -809,19 +760,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -841,38 +790,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -884,12 +830,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -904,32 +848,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -945,10 +885,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -970,34 +910,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1009,21 +948,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1035,12 +972,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -1048,50 +984,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -1113,11 +1046,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1125,58 +1057,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1189,20 +1112,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1222,42 +1142,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1270,12 +1183,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1290,32 +1201,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1346,11 +1252,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1358,58 +1263,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1422,20 +1318,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1455,42 +1348,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1503,12 +1389,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1523,32 +1407,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1566,20 +1445,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1587,52 +1465,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1644,19 +1519,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1676,38 +1549,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1719,12 +1589,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1739,32 +1607,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1790,15 +1654,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -1820,14 +1683,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1842,25 +1703,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1878,20 +1738,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -1904,15 +1764,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -1925,42 +1784,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -1974,13 +1832,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2000,20 +1856,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2027,13 +1881,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2053,10 +1905,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2065,14 +1916,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -2088,15 +1940,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2118,14 +1969,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2140,25 +1989,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2176,20 +2024,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2202,15 +2050,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2229,13 +2076,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2246,31 +2092,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -2284,23 +2130,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2322,14 +2167,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2344,25 +2187,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2380,20 +2222,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2406,15 +2248,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2428,47 +2269,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2482,13 +2319,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2508,20 +2343,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2535,13 +2368,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2561,10 +2392,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2586,31 +2416,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -2631,12 +2455,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -2648,8 +2470,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -2664,14 +2486,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -2682,10 +2500,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -2698,36 +2515,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -2762,12 +2569,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -2808,9 +2612,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -2822,9 +2626,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -2834,8 +2638,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -2854,13 +2659,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -2869,19 +2672,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -2899,37 +2701,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain other - key-value pairs. Deprecated. Use annotations per Attestor - instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -2937,31 +2739,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -2982,13 +2778,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -3000,9 +2793,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -3016,15 +2809,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -3035,10 +2823,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3051,40 +2838,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -3120,37 +2893,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3165,14 +2931,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3192,20 +2955,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3220,14 +2981,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3247,10 +3005,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3270,29 +3027,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -3313,12 +3066,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -3330,8 +3081,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -3346,13 +3097,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -3363,10 +3111,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -3379,35 +3126,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -3442,54 +3180,50 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used for - keyless signing. Deprecated. Use KeylessAttestor instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that the - image or attestation is signed with. Deprecated. Use - StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -3498,19 +3232,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. Use - KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -3527,17 +3261,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -3545,9 +3279,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -3560,34 +3294,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3599,11 +3333,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3614,17 +3347,17 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object status: - description: Status contains policy runtime information. Deprecated. Policy - metrics are available via the metrics endpoint + description: |- + Status contains policy runtime information. + Deprecated. Policy metrics are available via the metrics endpoint properties: autogen: description: Autogen contains autogen status information @@ -3633,24 +3366,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -3672,13 +3404,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -3693,23 +3424,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -3726,19 +3458,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -3751,14 +3484,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -3768,11 +3501,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -3794,10 +3526,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -3806,60 +3537,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3872,20 +3592,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -3906,44 +3623,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3956,12 +3664,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3976,36 +3682,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4035,10 +3733,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4047,60 +3744,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4113,20 +3799,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4147,44 +3830,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4197,12 +3871,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4217,36 +3889,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4263,21 +3927,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4285,57 +3947,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4348,20 +4002,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4381,42 +4032,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4429,12 +4073,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4449,32 +4091,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4490,11 +4128,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -4518,37 +4155,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4561,22 +4194,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -4588,11 +4218,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -4601,50 +4230,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -4667,10 +4292,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4679,60 +4303,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4745,20 +4358,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4779,44 +4389,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4829,12 +4430,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4849,36 +4448,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4908,10 +4499,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4920,60 +4510,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4986,20 +4565,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5020,44 +4596,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5070,12 +4637,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5090,36 +4655,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5136,21 +4693,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5158,57 +4713,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5221,20 +4768,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5254,42 +4798,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5302,12 +4839,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5322,32 +4857,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5374,16 +4905,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -5406,15 +4935,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5429,25 +4955,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -5467,21 +4991,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5495,15 +5018,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -5518,43 +5040,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -5569,14 +5089,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5596,20 +5113,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -5624,14 +5139,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5651,10 +5163,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5663,14 +5174,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -5686,16 +5198,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -5718,15 +5228,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5741,25 +5248,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -5779,21 +5284,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5807,15 +5311,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -5835,14 +5338,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5853,32 +5354,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -5893,24 +5393,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -5933,15 +5431,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5956,25 +5451,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -5994,21 +5487,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6022,15 +5514,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6045,48 +5536,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6101,14 +5588,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6128,20 +5612,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6156,14 +5638,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6183,10 +5662,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6209,31 +5687,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -6254,13 +5726,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6272,9 +5741,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -6288,15 +5757,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6307,10 +5771,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -6323,40 +5786,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6392,12 +5841,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -6438,10 +5884,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -6453,9 +5898,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -6465,9 +5910,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -6486,14 +5931,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -6502,19 +5944,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -6532,38 +5973,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -6571,33 +6011,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -6620,14 +6052,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -6640,9 +6068,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -6656,16 +6084,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -6677,11 +6099,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -6695,43 +6115,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -6770,40 +6173,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6818,14 +6211,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6845,21 +6235,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6874,14 +6261,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6901,10 +6285,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6924,31 +6307,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -6969,12 +6346,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6986,8 +6361,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -7002,14 +6377,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -7020,10 +6391,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -7036,38 +6406,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -7103,56 +6461,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -7161,19 +6513,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -7195,42 +6547,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -7244,11 +6596,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -7261,8 +6614,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy @@ -7334,19 +6688,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -7354,67 +6713,67 @@ spec: description: Spec defines policy behaviors and contains one or more rules. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -7436,13 +6795,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7457,22 +6815,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -7489,17 +6849,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7512,13 +6875,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -7528,10 +6892,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -7553,11 +6917,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7565,58 +6928,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7629,20 +6983,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7662,42 +7013,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7710,12 +7054,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7730,32 +7072,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7786,11 +7123,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7798,58 +7134,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7862,20 +7189,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7895,42 +7219,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7943,12 +7260,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7963,32 +7278,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -8007,10 +7317,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -8032,34 +7342,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8071,21 +7380,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -8097,12 +7404,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -8110,50 +7416,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -8175,11 +7478,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -8187,58 +7489,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8251,20 +7544,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8284,42 +7574,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8332,12 +7615,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8352,32 +7633,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -8408,11 +7684,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -8420,58 +7695,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8484,20 +7750,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8517,42 +7780,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8565,12 +7821,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8585,32 +7839,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -8639,15 +7888,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8669,14 +7917,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8691,25 +7937,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -8727,20 +7972,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -8753,15 +7998,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -8774,42 +8018,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8823,13 +8066,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8849,20 +8090,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8876,13 +8115,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8902,10 +8139,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8914,14 +8150,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -8937,15 +8174,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8967,14 +8203,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8989,25 +8223,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9025,20 +8258,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9051,15 +8284,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -9078,13 +8310,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9095,18 +8326,18 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -9117,11 +8348,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9139,18 +8370,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -9161,11 +8392,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9183,9 +8414,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9194,25 +8425,25 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -9225,13 +8456,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9249,17 +8478,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -9272,13 +8501,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9296,9 +8523,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9315,23 +8542,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -9353,14 +8579,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9375,25 +8599,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9411,20 +8634,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9437,15 +8660,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -9459,47 +8681,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9513,13 +8731,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9539,20 +8755,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9566,13 +8780,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9592,10 +8804,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9617,31 +8828,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -9662,12 +8867,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -9679,8 +8882,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -9695,14 +8898,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -9713,10 +8912,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -9729,36 +8927,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -9793,12 +8981,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -9839,9 +9024,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -9853,9 +9038,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -9865,8 +9050,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -9885,13 +9071,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -9900,19 +9084,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -9930,22 +9113,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -9953,31 +9135,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -9998,13 +9174,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10016,9 +9189,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -10032,15 +9205,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10051,10 +9219,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -10067,40 +9234,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10136,37 +9289,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10181,14 +9327,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10208,20 +9351,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10236,14 +9377,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10263,10 +9401,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10286,29 +9423,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -10329,12 +9462,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -10346,8 +9477,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -10362,13 +9493,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -10379,10 +9507,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -10395,35 +9522,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -10458,39 +9576,34 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -10499,9 +9612,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -10518,17 +9631,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -10536,9 +9649,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -10551,34 +9664,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10590,11 +9703,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10605,11 +9717,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -10623,24 +9734,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -10662,13 +9772,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10683,23 +9792,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10716,19 +9826,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -10741,14 +9852,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -10758,11 +9869,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -10784,10 +9894,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -10796,60 +9905,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10862,20 +9960,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10896,44 +9991,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10946,12 +10032,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10966,36 +10050,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11025,10 +10101,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11037,60 +10112,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11103,20 +10167,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11137,44 +10198,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11187,12 +10239,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11207,36 +10257,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11253,21 +10295,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11275,57 +10315,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11338,20 +10370,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11371,42 +10400,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11419,12 +10441,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11439,32 +10459,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11480,11 +10496,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -11508,37 +10523,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11551,22 +10562,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -11578,11 +10586,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -11591,50 +10598,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -11657,10 +10660,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11669,60 +10671,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11735,20 +10726,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11769,44 +10757,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11819,12 +10798,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11839,36 +10816,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11898,10 +10867,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11910,60 +10878,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11976,20 +10933,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12010,44 +10964,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12060,12 +11005,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12080,36 +11023,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12126,21 +11061,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -12148,57 +11081,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12211,20 +11136,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12244,42 +11166,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12292,12 +11207,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12312,32 +11225,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12364,16 +11273,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -12396,15 +11303,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12419,25 +11323,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -12457,21 +11359,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12485,15 +11386,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -12508,43 +11408,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12559,14 +11457,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12586,20 +11481,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12614,14 +11507,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12641,10 +11531,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12653,14 +11542,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -12676,16 +11566,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -12708,15 +11596,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12731,25 +11616,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -12769,21 +11652,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12797,15 +11679,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -12825,14 +11706,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12843,32 +11722,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -12883,24 +11761,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -12923,15 +11799,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12946,25 +11819,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -12984,21 +11855,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13012,15 +11882,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -13035,48 +11904,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13091,14 +11956,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13118,20 +11980,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13146,14 +12006,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13173,10 +12030,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13199,31 +12055,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -13244,13 +12094,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13262,9 +12109,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -13278,15 +12125,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13297,10 +12139,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -13313,40 +12154,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13382,12 +12209,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -13428,10 +12252,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -13443,9 +12266,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -13455,9 +12278,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -13476,14 +12299,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13492,19 +12312,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -13522,38 +12341,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -13561,33 +12379,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -13610,14 +12420,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -13630,9 +12436,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -13646,16 +12452,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -13667,11 +12467,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -13685,43 +12483,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -13760,40 +12541,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13808,14 +12579,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13835,21 +12603,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13864,14 +12629,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13891,10 +12653,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13914,31 +12675,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -13959,12 +12714,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13976,8 +12729,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13992,14 +12745,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -14010,10 +12759,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -14026,38 +12774,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -14093,56 +12829,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -14151,19 +12881,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -14185,42 +12915,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -14234,11 +12964,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -14251,8 +12982,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy diff --git a/config/crds/kyverno.io_policyexceptions.yaml b/config/crds/kyverno.io_policyexceptions.yaml index 04f0ebde8b5f..d636bddfb841 100644 --- a/config/crds/kyverno.io_policyexceptions.yaml +++ b/config/crds/kyverno.io_policyexceptions.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -26,14 +25,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,11 +45,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -53,9 +56,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -91,11 +95,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -103,52 +106,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -160,19 +160,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -192,38 +190,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -235,12 +230,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -255,32 +248,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -309,11 +298,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -321,52 +309,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -378,19 +363,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -410,38 +393,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -453,12 +433,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -473,32 +451,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind diff --git a/config/crds/kyverno.io_updaterequests.yaml b/config/crds/kyverno.io_updaterequests.yaml index 483e92b49660..bf0ba7b27967 100644 --- a/config/crds/kyverno.io_updaterequests.yaml +++ b/config/crds/kyverno.io_updaterequests.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -48,14 +47,19 @@ spec: in background. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -74,9 +78,9 @@ spec: for the admission request. properties: dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. type: boolean kind: description: Kind is the fully-qualified type of object @@ -94,10 +98,9 @@ spec: - version type: object name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. type: string namespace: description: Namespace is the namespace associated with @@ -113,38 +116,33 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. type: string options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. type: object x-kubernetes-preserve-unknown-fields: true requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: type: string @@ -158,22 +156,19 @@ spec: - version type: object requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: type: string @@ -187,12 +182,10 @@ spec: - version type: object requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. type: string resource: description: Resource is the fully-qualified resource @@ -214,14 +207,11 @@ spec: if any (for example, "status" or "scale") type: string uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. type: string userInfo: description: UserInfo is information about the requesting @@ -244,10 +234,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this @@ -303,10 +293,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this user @@ -349,8 +339,9 @@ spec: description: Rule is the associate rule name of the current UR. type: string synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. type: boolean required: - context @@ -363,8 +354,9 @@ spec: description: Status contains statistics related to update request. properties: generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. items: properties: apiVersion: @@ -382,7 +374,8 @@ spec: type: object type: array handler: - description: Handler represents the instance ID that handles the UR + description: |- + Handler represents the instance ID that handles the UR Deprecated type: string message: diff --git a/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml b/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml index 3c6d8dafc283..b424611edf0a 100644 --- a/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml +++ b/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -51,14 +50,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -85,35 +89,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -125,11 +129,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -137,63 +140,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -231,15 +234,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -260,61 +264,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -326,10 +340,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic diff --git a/config/crds/wgpolicyk8s.io_policyreports.yaml b/config/crds/wgpolicyk8s.io_policyreports.yaml index a8c8aafeca1b..39569465b06f 100644 --- a/config/crds/wgpolicyk8s.io_policyreports.yaml +++ b/config/crds/wgpolicyk8s.io_policyreports.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -50,14 +49,19 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -84,35 +88,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -124,11 +128,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -136,63 +139,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -230,15 +233,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -259,61 +263,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -325,10 +339,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index b2652681f1d3..ba377b62aa0c 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -207,12 +207,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: admissionreports.kyverno.io spec: group: kyverno.io @@ -264,14 +259,19 @@ spec: description: AdmissionReport is the Schema for the AdmissionReports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -285,25 +285,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -335,35 +343,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -375,11 +383,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -387,66 +394,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -485,17 +489,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -544,12 +549,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -606,14 +606,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -642,35 +647,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -682,11 +687,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -694,66 +698,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -792,17 +793,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -849,12 +851,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -882,14 +879,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -901,10 +903,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -915,11 +918,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -937,17 +940,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -958,11 +962,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -980,18 +984,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -1012,11 +1016,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1024,52 +1027,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1081,19 +1081,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1113,38 +1111,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1156,12 +1151,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1176,32 +1169,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1230,11 +1219,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1242,52 +1230,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1299,19 +1284,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1331,38 +1314,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1374,12 +1354,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1394,32 +1372,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1431,10 +1405,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -1455,11 +1430,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1467,52 +1441,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1524,19 +1495,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1556,38 +1525,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1599,12 +1565,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1619,32 +1583,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1673,11 +1633,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1685,52 +1644,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1742,19 +1698,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1774,38 +1728,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1817,12 +1768,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1837,32 +1786,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1885,42 +1830,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1934,11 +1879,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1963,12 +1909,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -2021,14 +1962,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2042,25 +1988,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -2092,35 +2046,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2132,11 +2086,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2144,66 +2097,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -2242,17 +2192,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -2301,12 +2252,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -2363,14 +2309,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2399,35 +2350,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2439,11 +2390,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2451,66 +2401,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -2549,17 +2496,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -2606,12 +2554,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -2639,14 +2582,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2658,10 +2606,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -2672,11 +2621,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2694,17 +2643,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -2715,11 +2665,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2737,18 +2687,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -2769,11 +2719,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2781,52 +2730,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2838,19 +2784,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2870,38 +2814,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2913,12 +2854,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2933,32 +2872,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2987,11 +2922,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2999,52 +2933,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3056,19 +2987,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -3088,38 +3017,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3131,12 +3057,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3151,32 +3075,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3188,10 +3108,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -3212,11 +3133,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3224,52 +3144,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3281,19 +3198,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -3313,38 +3228,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3356,12 +3268,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3376,32 +3286,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3430,11 +3336,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3442,52 +3347,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3499,19 +3401,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -3531,38 +3431,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3574,12 +3471,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3594,32 +3489,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3642,42 +3533,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -3691,11 +3582,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -3720,12 +3612,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -3783,14 +3670,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3798,68 +3690,68 @@ spec: description: Spec declares policy behaviors. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -3881,13 +3773,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -3902,22 +3793,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -3934,17 +3827,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -3957,13 +3853,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -3973,10 +3870,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -3998,11 +3895,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4010,58 +3906,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4074,20 +3961,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4107,42 +3991,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4155,12 +4032,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4175,32 +4050,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -4231,11 +4101,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4243,58 +4112,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4307,20 +4167,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4340,42 +4197,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4388,12 +4238,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4408,32 +4256,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -4451,20 +4294,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4472,52 +4314,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4529,19 +4368,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4561,38 +4398,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4604,12 +4438,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4624,32 +4456,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4665,10 +4493,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -4690,34 +4518,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4729,21 +4556,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -4755,12 +4580,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -4768,50 +4592,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -4833,11 +4654,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4845,58 +4665,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4909,20 +4720,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4942,42 +4750,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4990,12 +4791,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5010,32 +4809,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -5066,11 +4860,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5078,58 +4871,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5142,20 +4926,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5175,42 +4956,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5223,12 +4997,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5243,32 +5015,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -5286,20 +5053,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5307,52 +5073,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5364,19 +5127,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5396,38 +5157,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5439,12 +5197,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5459,32 +5215,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5510,15 +5262,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -5540,14 +5291,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5562,25 +5311,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -5598,20 +5346,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5624,15 +5372,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -5645,42 +5392,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -5694,13 +5440,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5720,20 +5464,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -5747,13 +5489,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5773,10 +5513,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5785,14 +5524,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -5808,15 +5548,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -5838,14 +5577,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5860,25 +5597,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -5896,20 +5632,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5922,15 +5658,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -5949,13 +5684,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5966,31 +5700,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -6004,23 +5738,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -6042,14 +5775,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6064,25 +5795,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -6100,20 +5830,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6126,15 +5856,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -6148,47 +5877,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6202,13 +5927,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6228,20 +5951,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6255,13 +5976,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6281,10 +6000,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6306,31 +6024,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -6351,12 +6063,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6368,8 +6078,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -6384,14 +6094,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6402,10 +6108,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -6418,36 +6123,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6482,12 +6177,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -6528,9 +6220,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -6542,9 +6234,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -6554,8 +6246,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -6574,13 +6267,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -6589,19 +6280,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -6619,37 +6309,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain other - key-value pairs. Deprecated. Use annotations per Attestor - instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -6657,31 +6347,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -6702,13 +6386,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6720,9 +6401,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -6736,15 +6417,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6755,10 +6431,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -6771,40 +6446,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -6840,37 +6501,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6885,14 +6539,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6912,20 +6563,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6940,14 +6589,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6967,10 +6613,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6990,29 +6635,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -7033,12 +6674,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -7050,8 +6689,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -7066,13 +6705,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -7083,10 +6719,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -7099,35 +6734,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -7162,54 +6788,50 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used for - keyless signing. Deprecated. Use KeylessAttestor instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that the - image or attestation is signed with. Deprecated. Use - StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -7218,19 +6840,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. Use - KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -7247,17 +6869,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -7265,9 +6887,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -7280,34 +6902,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7319,11 +6941,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7334,11 +6955,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -7352,24 +6972,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -7391,13 +7010,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7412,23 +7030,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -7445,19 +7064,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7470,14 +7090,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -7487,11 +7107,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -7513,10 +7132,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -7525,60 +7143,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7591,20 +7198,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7625,44 +7229,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7675,12 +7270,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7695,36 +7288,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -7754,10 +7339,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -7766,60 +7350,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7832,20 +7405,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7866,44 +7436,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7916,12 +7477,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7936,36 +7495,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -7982,21 +7533,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -8004,57 +7553,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8067,20 +7608,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8100,42 +7638,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8148,12 +7679,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8168,32 +7697,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8209,11 +7734,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -8237,37 +7761,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8280,22 +7800,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -8307,11 +7824,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -8320,50 +7836,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -8386,10 +7898,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -8398,60 +7909,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8464,20 +7964,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8498,44 +7995,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8548,12 +8036,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8568,36 +8054,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8627,10 +8105,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -8639,60 +8116,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8705,20 +8171,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8739,44 +8202,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8789,12 +8243,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8809,36 +8261,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8855,21 +8299,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -8877,57 +8319,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8940,20 +8374,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8973,42 +8404,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9021,12 +8445,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9041,32 +8463,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -9093,16 +8511,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -9125,15 +8541,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9148,25 +8561,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -9186,21 +8597,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9214,15 +8624,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -9237,43 +8646,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9288,14 +8695,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9315,20 +8719,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9343,14 +8745,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9370,10 +8769,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9382,14 +8780,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -9405,16 +8804,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -9437,15 +8834,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9460,25 +8854,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -9498,21 +8890,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9526,15 +8917,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -9554,14 +8944,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9572,32 +8960,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -9612,24 +8999,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -9652,15 +9037,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9675,25 +9057,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -9713,21 +9093,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9741,15 +9120,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -9764,48 +9142,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9820,14 +9194,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9847,20 +9218,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9875,14 +9244,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9902,10 +9268,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9928,31 +9293,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -9973,13 +9332,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -9991,9 +9347,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -10007,15 +9363,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10026,10 +9377,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -10042,40 +9392,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10111,12 +9447,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -10157,10 +9490,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -10172,9 +9504,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -10184,9 +9516,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -10205,14 +9537,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -10221,19 +9550,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -10251,38 +9579,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -10290,33 +9617,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -10339,14 +9658,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -10359,9 +9674,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -10375,16 +9690,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -10396,11 +9705,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -10414,43 +9721,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -10489,40 +9779,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10537,14 +9817,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10564,21 +9841,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10593,14 +9867,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10620,10 +9891,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10643,31 +9913,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -10688,12 +9952,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10705,8 +9967,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -10721,14 +9983,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10739,10 +9997,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -10755,38 +10012,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -10822,56 +10067,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -10880,19 +10119,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -10914,42 +10153,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -10963,11 +10202,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -10980,8 +10220,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy @@ -11057,14 +10298,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -11072,67 +10318,67 @@ spec: description: Spec declares policy behaviors. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -11154,13 +10400,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11175,22 +10420,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11207,17 +10454,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11230,13 +10480,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -11246,10 +10497,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -11271,11 +10522,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11283,58 +10533,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11347,20 +10588,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11380,42 +10618,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11428,12 +10659,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11448,32 +10677,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -11504,11 +10728,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11516,58 +10739,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11580,20 +10794,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11613,42 +10824,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11661,12 +10865,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11681,32 +10883,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -11725,10 +10922,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -11750,34 +10947,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11789,21 +10985,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -11815,12 +11009,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -11828,50 +11021,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -11893,11 +11083,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11905,58 +11094,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11969,20 +11149,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12002,42 +11179,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12050,12 +11220,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12070,32 +11238,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -12126,11 +11289,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -12138,58 +11300,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12202,20 +11355,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12235,42 +11385,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12283,12 +11426,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12303,32 +11444,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -12357,15 +11493,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -12387,14 +11522,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12409,25 +11542,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -12445,20 +11577,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12471,15 +11603,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -12492,42 +11623,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12541,13 +11671,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12567,20 +11695,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12594,13 +11720,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12620,10 +11744,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12632,14 +11755,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -12655,15 +11779,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -12685,14 +11808,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12707,25 +11828,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -12743,20 +11863,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12769,15 +11889,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -12796,13 +11915,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12813,18 +11931,18 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -12835,11 +11953,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12857,18 +11975,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -12879,11 +11997,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12901,9 +12019,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12912,25 +12030,25 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -12943,13 +12061,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12967,17 +12083,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -12990,13 +12106,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13014,9 +12128,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13033,23 +12147,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -13071,14 +12184,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13093,25 +12204,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -13129,20 +12239,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13155,15 +12265,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -13177,47 +12286,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13231,13 +12336,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13257,20 +12360,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13284,13 +12385,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13310,10 +12409,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13335,31 +12433,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -13380,12 +12472,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13397,8 +12487,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13413,14 +12503,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13431,10 +12517,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -13447,36 +12532,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13511,12 +12586,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -13557,9 +12629,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -13571,9 +12643,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -13583,8 +12655,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -13603,13 +12676,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13618,19 +12689,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -13648,22 +12718,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -13671,31 +12740,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -13716,13 +12779,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13734,9 +12794,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -13750,15 +12810,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13769,10 +12824,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -13785,40 +12839,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -13854,37 +12894,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13899,14 +12932,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13926,20 +12956,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13954,14 +12982,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13981,10 +13006,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -14004,29 +13028,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -14047,12 +13067,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -14064,8 +13082,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -14080,13 +13098,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -14097,10 +13112,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -14113,35 +13127,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -14176,39 +13181,34 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -14217,9 +13217,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -14236,17 +13236,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -14254,9 +13254,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -14269,34 +13269,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -14308,11 +13308,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14323,11 +13322,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -14341,24 +13339,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -14380,13 +13377,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -14401,23 +13397,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -14434,19 +13431,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -14459,14 +13457,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -14476,11 +13474,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -14502,10 +13499,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14514,60 +13510,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14580,20 +13565,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14614,44 +13596,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14664,12 +13637,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14684,36 +13655,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14743,10 +13706,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14755,60 +13717,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14821,20 +13772,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14855,44 +13803,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14905,12 +13844,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14925,36 +13862,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14971,21 +13900,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -14993,57 +13920,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15056,20 +13975,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15089,42 +14005,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15137,12 +14046,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15157,32 +14064,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15198,11 +14101,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -15226,37 +14128,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15269,22 +14167,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -15296,11 +14191,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -15309,50 +14203,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -15375,10 +14265,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -15387,60 +14276,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15453,20 +14331,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15487,44 +14362,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15537,12 +14403,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15557,36 +14421,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15616,10 +14472,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -15628,60 +14483,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15694,20 +14538,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15728,44 +14569,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15778,12 +14610,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15798,36 +14628,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15844,21 +14666,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15866,57 +14686,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15929,20 +14741,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15962,42 +14771,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16010,12 +14812,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16030,32 +14830,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -16082,16 +14878,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16114,15 +14908,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16137,25 +14928,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16175,21 +14964,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16203,15 +14991,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16226,43 +15013,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16277,14 +15062,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16304,20 +15086,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16332,14 +15112,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16359,10 +15136,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16371,14 +15147,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -16394,16 +15171,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16426,15 +15201,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16449,25 +15221,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16487,21 +15257,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16515,15 +15284,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16543,14 +15311,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16561,32 +15327,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -16601,24 +15366,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16641,15 +15404,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16664,25 +15424,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16702,21 +15460,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16730,15 +15487,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16753,48 +15509,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16809,14 +15561,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16836,20 +15585,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16864,14 +15611,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16891,10 +15635,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16917,31 +15660,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -16962,13 +15699,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -16980,9 +15714,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -16996,15 +15730,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -17015,10 +15744,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17031,40 +15759,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -17100,12 +15814,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -17146,10 +15857,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -17161,9 +15871,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -17173,9 +15883,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -17194,14 +15904,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -17210,19 +15917,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -17240,38 +15946,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -17279,33 +15984,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -17328,14 +16025,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -17348,9 +16041,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -17364,16 +16057,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -17385,11 +16072,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -17403,43 +16088,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -17478,40 +16146,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17526,14 +16184,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17553,21 +16208,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17582,14 +16234,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17609,10 +16258,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17632,31 +16280,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -17677,12 +16319,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -17694,8 +16334,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -17710,14 +16350,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -17728,10 +16364,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17744,38 +16379,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -17811,56 +16434,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -17869,19 +16486,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -17903,42 +16520,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -17952,11 +16569,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -17969,8 +16587,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy @@ -18008,12 +16627,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -18067,19 +16681,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -18087,68 +16706,68 @@ spec: description: Spec defines policy behaviors and contains one or more rules. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -18170,13 +16789,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -18191,22 +16809,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -18223,17 +16843,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -18246,13 +16869,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -18262,10 +16886,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -18287,11 +16911,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -18299,58 +16922,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18363,20 +16977,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -18396,42 +17007,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18444,12 +17048,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -18464,32 +17066,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -18520,11 +17117,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -18532,58 +17128,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18596,20 +17183,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -18629,42 +17213,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18677,12 +17254,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -18697,32 +17272,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -18740,20 +17310,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -18761,52 +17330,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -18818,19 +17384,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -18850,38 +17414,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -18893,12 +17454,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -18913,32 +17472,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -18954,10 +17509,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -18979,34 +17534,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -19018,21 +17572,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -19044,12 +17596,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -19057,50 +17608,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -19122,11 +17670,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -19134,58 +17681,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -19198,20 +17736,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -19231,42 +17766,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -19279,12 +17807,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -19299,32 +17825,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -19355,11 +17876,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -19367,58 +17887,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -19431,20 +17942,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -19464,42 +17972,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -19512,12 +18013,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -19532,32 +18031,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -19575,20 +18069,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -19596,52 +18089,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -19653,19 +18143,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -19685,38 +18173,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -19728,12 +18213,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -19748,32 +18231,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -19799,15 +18278,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -19829,14 +18307,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -19851,25 +18327,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -19887,20 +18362,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -19913,15 +18388,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -19934,42 +18408,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19983,13 +18456,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -20009,20 +18480,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -20036,13 +18505,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -20062,10 +18529,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -20074,14 +18540,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -20097,15 +18564,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -20127,14 +18593,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -20149,25 +18613,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -20185,20 +18648,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -20211,15 +18674,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -20238,13 +18700,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -20255,31 +18716,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -20293,23 +18754,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -20331,14 +18791,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -20353,25 +18811,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -20389,20 +18846,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -20415,15 +18872,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -20437,47 +18893,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -20491,13 +18943,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -20517,20 +18967,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -20544,13 +18992,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -20570,10 +19016,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -20595,31 +19040,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -20640,12 +19079,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -20657,8 +19094,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -20673,14 +19110,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -20691,10 +19124,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -20707,36 +19139,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -20771,12 +19193,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -20817,9 +19236,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -20831,9 +19250,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -20843,8 +19262,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -20863,13 +19283,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -20878,19 +19296,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -20908,37 +19325,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain other - key-value pairs. Deprecated. Use annotations per Attestor - instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -20946,31 +19363,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -20991,13 +19402,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -21009,9 +19417,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -21025,15 +19433,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -21044,10 +19447,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -21060,40 +19462,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -21129,37 +19517,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -21174,14 +19555,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -21201,20 +19579,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -21229,14 +19605,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -21256,10 +19629,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -21279,29 +19651,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -21322,12 +19690,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -21339,8 +19705,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -21355,13 +19721,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -21372,10 +19735,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -21388,35 +19750,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -21451,54 +19804,50 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used for - keyless signing. Deprecated. Use KeylessAttestor instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that the - image or attestation is signed with. Deprecated. Use - StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -21507,19 +19856,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. Use - KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -21536,17 +19885,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -21554,9 +19903,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -21569,34 +19918,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -21608,11 +19957,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21623,17 +19971,17 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object status: - description: Status contains policy runtime information. Deprecated. Policy - metrics are available via the metrics endpoint + description: |- + Status contains policy runtime information. + Deprecated. Policy metrics are available via the metrics endpoint properties: autogen: description: Autogen contains autogen status information @@ -21642,24 +19990,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -21681,13 +20028,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -21702,23 +20048,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -21735,19 +20082,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -21760,14 +20108,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -21777,11 +20125,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -21803,10 +20150,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -21815,60 +20161,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21881,20 +20216,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21915,44 +20247,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21965,12 +20288,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21985,36 +20306,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -22044,10 +20357,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -22056,60 +20368,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22122,20 +20423,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -22156,44 +20454,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22206,12 +20495,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -22226,36 +20513,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -22272,21 +20551,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -22294,57 +20571,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22357,20 +20626,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -22390,42 +20656,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22438,12 +20697,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -22458,32 +20715,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -22499,11 +20752,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -22527,37 +20779,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22570,22 +20818,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -22597,11 +20842,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -22610,50 +20854,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -22676,10 +20916,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -22688,60 +20927,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22754,20 +20982,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -22788,44 +21013,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22838,12 +21054,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -22858,36 +21072,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -22917,10 +21123,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -22929,60 +21134,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -22995,20 +21189,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -23029,44 +21220,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -23079,12 +21261,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -23099,36 +21279,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -23145,21 +21317,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -23167,57 +21337,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -23230,20 +21392,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -23263,42 +21422,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -23311,12 +21463,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -23331,32 +21481,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -23383,16 +21529,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -23415,15 +21559,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -23438,25 +21579,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -23476,21 +21615,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -23504,15 +21642,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -23527,43 +21664,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23578,14 +21713,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23605,20 +21737,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23633,14 +21763,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23660,10 +21787,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -23672,14 +21798,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -23695,16 +21822,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -23727,15 +21852,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -23750,25 +21872,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -23788,21 +21908,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -23816,15 +21935,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -23844,14 +21962,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -23862,32 +21978,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -23902,24 +22017,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -23942,15 +22055,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -23965,25 +22075,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -24003,21 +22111,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -24031,15 +22138,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -24054,48 +22160,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -24110,14 +22212,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -24137,20 +22236,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -24165,14 +22262,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -24192,10 +22286,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -24218,31 +22311,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -24263,13 +22350,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -24281,9 +22365,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -24297,15 +22381,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -24316,10 +22395,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -24332,40 +22410,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -24401,12 +22465,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -24447,10 +22508,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -24462,9 +22522,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -24474,9 +22534,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -24495,14 +22555,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -24511,19 +22568,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -24541,38 +22597,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -24580,33 +22635,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -24629,14 +22676,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -24649,9 +22692,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -24665,16 +22708,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -24686,11 +22723,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -24704,43 +22739,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -24779,40 +22797,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -24827,14 +22835,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -24854,21 +22859,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -24883,14 +22885,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -24910,10 +22909,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -24933,31 +22931,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -24978,12 +22970,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -24995,8 +22985,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -25011,14 +23001,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -25029,10 +23015,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -25045,38 +23030,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -25112,56 +23085,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -25170,19 +23137,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -25204,42 +23171,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -25253,11 +23220,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -25270,8 +23238,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy @@ -25343,19 +23312,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -25363,67 +23337,67 @@ spec: description: Spec defines policy behaviors and contains one or more rules. properties: applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -25445,13 +23419,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -25466,22 +23439,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -25498,17 +23473,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -25521,13 +23499,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -25537,10 +23516,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -25562,11 +23541,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25574,58 +23552,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25638,20 +23607,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25671,42 +23637,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25719,12 +23678,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25739,32 +23696,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25795,11 +23747,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25807,58 +23758,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25871,20 +23813,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25904,42 +23843,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25952,12 +23884,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25972,32 +23902,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26016,10 +23941,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -26041,34 +23966,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -26080,21 +24004,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -26106,12 +24028,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean type: object imageExtractors: @@ -26119,50 +24040,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -26184,11 +24102,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -26196,58 +24113,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26260,20 +24168,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -26293,42 +24198,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26341,12 +24239,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -26361,32 +24257,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26417,11 +24308,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -26429,58 +24319,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26493,20 +24374,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -26526,42 +24404,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26574,12 +24445,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -26594,32 +24463,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26648,15 +24512,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26678,14 +24541,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26700,25 +24561,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26736,20 +24596,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26762,15 +24622,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26783,42 +24642,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26832,13 +24690,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26858,20 +24714,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26885,13 +24739,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26911,10 +24763,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -26923,14 +24774,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -26946,15 +24798,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26976,14 +24827,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26998,25 +24847,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -27034,20 +24882,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -27060,15 +24908,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -27087,13 +24934,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27104,18 +24950,18 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -27126,11 +24972,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27148,18 +24994,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -27170,11 +25016,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27192,9 +25038,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27203,25 +25049,25 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -27234,13 +25080,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27258,17 +25102,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -27281,13 +25125,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27305,9 +25147,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27324,23 +25166,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -27362,14 +25203,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -27384,25 +25223,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -27420,20 +25258,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -27446,15 +25284,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -27468,47 +25305,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27522,13 +25355,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27548,20 +25379,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27575,13 +25404,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27601,10 +25428,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27626,31 +25452,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -27671,12 +25491,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -27688,8 +25506,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -27704,14 +25522,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty object - is provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -27722,10 +25536,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -27738,36 +25551,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -27802,12 +25605,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -27848,9 +25648,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -27862,9 +25662,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -27874,8 +25674,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -27894,13 +25695,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -27909,19 +25708,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -27939,22 +25737,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -27962,31 +25759,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -28007,13 +25798,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -28025,9 +25813,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -28041,15 +25829,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -28060,10 +25843,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -28076,40 +25858,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -28145,37 +25913,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28190,14 +25951,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28217,20 +25975,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28245,14 +26001,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28272,10 +26025,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -28295,29 +26047,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -28338,12 +26086,10 @@ spec: to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -28355,8 +26101,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -28371,13 +26117,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked - and a root certificate chain is expected - instead. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -28388,10 +26131,9 @@ spec: - url type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -28404,35 +26146,26 @@ spec: keys properties: kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not checked. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address of @@ -28467,39 +26200,34 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -28508,9 +26236,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -28527,17 +26255,17 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -28545,9 +26273,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -28560,34 +26288,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -28599,11 +26327,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -28614,11 +26341,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -28632,24 +26358,23 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -28671,13 +26396,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -28692,23 +26416,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -28725,19 +26450,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -28750,14 +26476,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -28767,11 +26493,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -28793,10 +26518,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -28805,60 +26529,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -28871,20 +26584,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -28905,44 +26615,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -28955,12 +26656,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -28975,36 +26674,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29034,10 +26725,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29046,60 +26736,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29112,20 +26791,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29146,44 +26822,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29196,12 +26863,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29216,36 +26881,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29262,21 +26919,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -29284,57 +26939,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29347,20 +26994,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29380,42 +27024,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29428,12 +27065,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29448,32 +27083,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29489,11 +27120,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -29517,37 +27147,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29560,22 +27186,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -29587,11 +27210,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object @@ -29600,50 +27222,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -29666,10 +27284,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29678,60 +27295,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29744,20 +27350,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29778,44 +27381,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29828,12 +27422,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29848,36 +27440,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29907,10 +27491,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29919,60 +27502,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29985,20 +27557,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30019,44 +27588,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30069,12 +27629,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30089,36 +27647,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30135,21 +27685,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -30157,57 +27705,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30220,20 +27760,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30253,42 +27790,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30301,12 +27831,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30321,32 +27849,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30373,16 +27897,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -30405,15 +27927,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -30428,25 +27947,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -30466,21 +27983,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -30494,15 +28010,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -30517,43 +28032,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -30568,14 +28081,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -30595,20 +28105,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -30623,14 +28131,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -30650,10 +28155,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -30662,14 +28166,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -30685,16 +28190,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -30717,15 +28220,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -30740,25 +28240,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -30778,21 +28276,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -30806,15 +28303,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -30834,14 +28330,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -30852,32 +28346,31 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -30892,24 +28385,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -30932,15 +28423,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -30955,25 +28443,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -30993,21 +28479,20 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -31021,15 +28506,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -31044,48 +28528,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31100,14 +28580,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31127,20 +28604,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31155,14 +28630,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31182,10 +28654,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -31208,31 +28679,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -31253,13 +28718,10 @@ spec: certificates used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -31271,9 +28733,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -31287,15 +28749,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked and a root - certificate chain is expected - instead. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -31306,10 +28763,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -31322,40 +28778,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If the value is nil, - Rekor is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -31391,12 +28833,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -31437,10 +28876,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -31452,9 +28890,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -31464,9 +28902,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -31485,14 +28923,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -31501,19 +28936,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -31531,38 +28965,37 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: type: string - description: AdditionalExtensions are certificate-extensions - used for keyless signing. Deprecated. + description: |- + AdditionalExtensions are certificate-extensions used for keyless signing. + Deprecated. type: object annotations: additionalProperties: type: string - description: Annotations are used for image verification. - Every specified key-value pair must exist and match - in the verified payload. The payload may contain - other key-value pairs. Deprecated. Use annotations - per Attestor instead. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. + Deprecated. Use annotations per Attestor instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -31570,33 +29003,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -31619,14 +29044,10 @@ spec: verify type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -31639,9 +29060,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -31655,16 +29076,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked and a root - certificate chain is expected - instead. If an empty object - is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -31676,11 +29091,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -31694,43 +29107,26 @@ spec: or more public keys properties: kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If the value is nil, Rekor - is not checked. If an empty - object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the @@ -31769,40 +29165,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31817,14 +29203,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31844,21 +29227,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31873,14 +29253,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31900,10 +29277,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -31923,31 +29299,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested AttestorSet @@ -31968,12 +29338,10 @@ spec: used to verify type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -31985,8 +29353,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -32001,14 +29369,10 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked and a root certificate chain - is expected instead. If an empty - object is provided the public instance - of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked and a root certificate chain is expected instead. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -32019,10 +29383,9 @@ spec: - url type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -32035,38 +29398,26 @@ spec: public keys properties: kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If the value is nil, Rekor is not - checked. If an empty object is provided - the public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If the value is nil, + Rekor is not checked. If an empty object is provided the public instance of + Rekor (https://rekor.sigstore.dev) is used. properties: url: description: URL is the address @@ -32102,56 +29453,50 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array image: - description: 'Image is the image name consisting of - the registry address, repository, image, and tag. - Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - Deprecated. Use ImageReferences instead.' + description: |- + Image is the image name consisting of the registry address, repository, image, and tag. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array issuer: - description: Issuer is the certificate issuer used - for keyless signing. Deprecated. Use KeylessAttestor - instead. + description: |- + Issuer is the certificate issuer used for keyless signing. + Deprecated. Use KeylessAttestor instead. type: string key: - description: Key is the PEM encoded public key that - the image or attestation is signed with. Deprecated. - Use StaticKeyAttestor instead. + description: |- + Key is the PEM encoded public key that the image or attestation is signed with. + Deprecated. Use StaticKeyAttestor instead. type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -32160,19 +29505,19 @@ spec: check. type: boolean roots: - description: Roots is the PEM encoded Root certificate - chain used for keyless signing Deprecated. Use KeylessAttestor - instead. + description: |- + Roots is the PEM encoded Root certificate chain used for keyless signing + Deprecated. Use KeylessAttestor instead. type: string subject: - description: Subject is the identity used for keyless - signing, for example an email address Deprecated. - Use KeylessAttestor instead. + description: |- + Subject is the identity used for keyless signing, for example an email address + Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -32194,42 +29539,42 @@ spec: policy items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -32243,11 +29588,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -32260,8 +29606,9 @@ spec: type: object type: array ready: - description: Ready indicates if the policy is ready to serve the admission - request. Deprecated in favor of Conditions + description: |- + Ready indicates if the policy is ready to serve the admission request. + Deprecated in favor of Conditions type: boolean rulecount: description: RuleCount describes total number of rules in a policy @@ -32299,12 +29646,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -32326,14 +29668,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -32341,11 +29688,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -32353,9 +29699,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -32391,11 +29738,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -32403,52 +29749,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -32460,19 +29803,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -32492,38 +29833,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -32535,12 +29873,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -32555,32 +29891,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -32609,11 +29941,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -32621,52 +29952,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -32678,19 +30006,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -32710,38 +30036,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -32753,12 +30076,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -32773,32 +30094,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -32823,12 +30140,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -32872,14 +30184,19 @@ spec: in background. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -32898,9 +30215,9 @@ spec: for the admission request. properties: dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. type: boolean kind: description: Kind is the fully-qualified type of object @@ -32918,10 +30235,9 @@ spec: - version type: object name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. type: string namespace: description: Namespace is the namespace associated with @@ -32937,38 +30253,33 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. type: string options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. type: object x-kubernetes-preserve-unknown-fields: true requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: type: string @@ -32982,22 +30293,19 @@ spec: - version type: object requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: type: string @@ -33011,12 +30319,10 @@ spec: - version type: object requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. type: string resource: description: Resource is the fully-qualified resource @@ -33038,14 +30344,11 @@ spec: if any (for example, "status" or "scale") type: string uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. type: string userInfo: description: UserInfo is information about the requesting @@ -33068,10 +30371,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this @@ -33127,10 +30430,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this user @@ -33173,8 +30476,9 @@ spec: description: Rule is the associate rule name of the current UR. type: string synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. type: boolean required: - context @@ -33187,8 +30491,9 @@ spec: description: Status contains statistics related to update request. properties: generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. items: properties: apiVersion: @@ -33206,7 +30511,8 @@ spec: type: object type: array handler: - description: Handler represents the instance ID that handles the UR + description: |- + Handler represents the instance ID that handles the UR Deprecated type: string message: @@ -33228,12 +30534,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -33280,14 +30581,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33314,35 +30620,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -33354,11 +30660,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -33366,63 +30671,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -33460,15 +30765,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -33489,61 +30795,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -33555,10 +30871,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -33595,12 +30911,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - app.kubernetes.io/component: crds - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest + controller-gen.kubebuilder.io/version: v0.14.0 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -33646,14 +30957,19 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33680,35 +30996,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -33720,11 +31036,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -33732,63 +31047,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -33826,15 +31141,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -33855,61 +31171,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -33921,10 +31247,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34061,13 +31387,13 @@ rules: verbs: - create - apiGroups: - - '*' + - '*' resources: - - '*' + - '*' verbs: - - get - - list - - watch + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -34095,14 +31421,6 @@ metadata: app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: latest rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - kyverno.io resources: @@ -34159,6 +31477,14 @@ rules: - update - patch - delete + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -34186,14 +31512,6 @@ metadata: app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: latest rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - admissionregistration.k8s.io resources: @@ -34255,6 +31573,14 @@ rules: - subjectaccessreviews verbs: - create + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -34491,14 +31817,6 @@ metadata: app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: latest rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - kyverno.io resources: @@ -34539,6 +31857,14 @@ rules: verbs: - create - patch + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1