diff --git a/scenarios/config/build-a-backdoor/tasks.yaml b/scenarios/config/build-a-backdoor/tasks.yaml new file mode 100644 index 00000000..e1fc27d3 --- /dev/null +++ b/scenarios/config/build-a-backdoor/tasks.yaml @@ -0,0 +1,14 @@ +category: KubeCon +difficulty: KubeCon +kind: cp.simulator/scenario:1.0.0 +objective: Undo Kubernetes controls to allow access to an exploitable application +tasks: + "1": + hints: + sortOrder: 1 + startingPoint: + mode: pod + podName: jumpbox-terminal + podNamespace: dmz + summary: Can you build a backdoor for Hashjack to exploit? +name: build-a-backdoor diff --git a/scenarios/playbooks/build-a-backdoor.yaml b/scenarios/playbooks/build-a-backdoor.yaml new file mode 100644 index 00000000..b334a18b --- /dev/null +++ b/scenarios/playbooks/build-a-backdoor.yaml @@ -0,0 +1,11 @@ +--- + +- name: Build a Backdoor + hosts: bastion:master-1 + become: yes + vars: + state: present + socat_target_ip: "{{ hostvars['master-1']['ansible_facts']['default_ipv4']['address'] }}" + roles: + - build-a-backdoor + - socat diff --git a/scenarios/roles/build-a-backdoor/files/manifests/01-kyverno-install.yaml b/scenarios/roles/build-a-backdoor/files/manifests/01-kyverno-install.yaml new file mode 100644 index 00000000..1946e666 --- /dev/null +++ b/scenarios/roles/build-a-backdoor/files/manifests/01-kyverno-install.yaml @@ -0,0 +1,7888 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: clusterpolicies.kyverno.io +spec: + group: kyverno.io + names: + kind: ClusterPolicy + listKind: ClusterPolicyList + plural: clusterpolicies + shortNames: + - cpol + singular: clusterpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.background + name: Background + type: string + - jsonPath: .spec.validationFailureAction + name: Action + type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + priority: 1 + type: string + - jsonPath: .status.ready + name: Ready + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + background: + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). + type: boolean + failurePolicy: + description: FailurePolicy defines how unrecognized errors from the + admission endpoint are handled. Rules within the same policy share + the same failure behavior. Allowed values are Ignore or Fail. Defaults + to Fail. + enum: + - Ignore + - Fail + type: string + generateExistingOnPolicyUpdate: + description: GenerateExistingOnPolicyUpdate controls wether to trigger + generate rule in existing resources If is set to "true" generate + rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. + type: boolean + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if a mutateExisting + policy is applied on policy events. Default value is "false". + type: boolean + rules: + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. + items: + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. + properties: + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes + API server. The JSON data retrieved is stored in the + context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the API server. For example a JMESPath + of "items | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in + the HTTP GET request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct + returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON + object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + data: + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + key: + description: Key is an optional name of the field within + 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available + under 'images.' in the context. If this field + is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should be + slash-separated. Each slash-separated key must be + a valid YAML key or a wildcard '*'. Wildcard keys + are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This is + useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to + ImageExtractorConfigs. This config is only valid for verifyImages + rules. + type: object + match: + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request + to the Kubernetes API server. The JSON data + retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the API + server. For example a JMESPath of "items + | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET request to the + Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge + patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 + JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under + an `any` or `all` statement. A direct list of conditions + (without `any` or `all` statements) is also supported + for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request + to the Kubernetes API server. The JSON data + retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the API + server. For example a JMESPath of "items + | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET request to the + Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct + list of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use + the current list element as the scope for validation. + Defaults to "true" if not specified. When set to + "false", "request.object" is used as the validation + scope within the foreach block to allow referencing + other elements in the subtree. + type: boolean + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated to + include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions + used for keyless signing. Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. + Every specified key-value pair must exist and match + in the verified payload. The payload may contain other + key-value pairs. Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: Attestations are optional checks for signed + in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. + Kyverno fetches signed attestations from the OCI registry + and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto + Statements that are used to verify the image. See + https://github.com/in-toto/attestation. Kyverno fetches + signed attestations from the OCI registry and decodes + them into a list of Statements. + properties: + conditions: + description: Conditions are used to verify attributes + within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there + are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions + wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one + of its sub-conditions passes. AllConditions + get fulfilled only when all of its sub-conditions + pass. + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: PredicateType defines the type of Predicate + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is null, + all entries must match (a logical AND). If the + count is 1, at least one entry must match (a logical + OR). If the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. + An attestor can be a static key, attributes for + keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other key-value + pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of match + authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional + PEM encoded set of certificates used + to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked + and a root certificate chain is expected + instead. If an empty object is provided + the public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots are + used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one or more public + keys + properties: + publicKeys: + description: Keys is a set of X.509 public + keys used to verify image signatures. + The keys can be directly specified or + can be a variable reference to a key + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) within + the set of attestors and the count is + applied across the keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If specified + Repository will override other OCI image + repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: 'Image is the image name consisting of the + registry address, repository, image, and tag. Wildcards + (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead.' + type: string + imageReferences: + description: 'ImageReferences is a list of matching image + reference patterns. At least one pattern in the list + must match the image for the rule to apply. Each image + reference consists of a registry address (defaults to + docker.io), repository, image, and tag (defaults to + latest). Wildcards (''*'' and ''?'') are allowed. See: + https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + issuer: + description: Issuer is the certificate issuer used for + keyless signing. Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Key is the PEM encoded public key that the + image or attestation is signed with. Deprecated. Use + StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository + to use for image signatures and attestations that match + this rule. If specified Repository will override the + default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or + Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Roots is the PEM encoded Root certificate + chain used for keyless signing Deprecated. Use KeylessAttestor + instead. + type: string + subject: + description: Subject is the identity used for keyless + signing, for example an email address Deprecated. Use + KeylessAttestor instead. + type: string + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + type: object + type: array + schemaValidation: + description: SchemaValidation skips policy validation checks. Optional. + The default value is set to "true", it must be set to "false" to + disable the validation checks. + type: boolean + validationFailureAction: + description: ValidationFailureAction controls if a validation policy + rule failure should disallow the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. The default value is "audit". + enum: + - audit + - enforce + type: string + validationFailureActionOverrides: + description: ValidationFailureActionOverrides is a Cluster Policy + attribute that specifies ValidationFailureAction namespace-wise. + It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + type: string + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + conditions: + description: Conditions is a list of conditions that apply to the + policy + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Ready indicates if the policy is ready to serve the admission + request. Deprecated in favor of Conditions + type: boolean + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: clusterpolicyreports.wgpolicyk8s.io +spec: + group: wgpolicyk8s.io + names: + kind: ClusterPolicyReport + listKind: ClusterPolicyReportList + plural: clusterpolicyreports + shortNames: + - cpolr + singular: clusterpolicyreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: clusterreportchangerequests.kyverno.io +spec: + group: kyverno.io + names: + kind: ClusterReportChangeRequest + listKind: ClusterReportChangeRequestList + plural: clusterreportchangerequests + shortNames: + - crcr + singular: clusterreportchangerequest + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: generaterequests.kyverno.io +spec: + group: kyverno.io + names: + kind: GenerateRequest + listKind: GenerateRequestList + plural: generaterequests + shortNames: + - gr + singular: generaterequest + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: GenerateRequest is a request to process generate rule. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec is the information to identify the generate request. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + type: string + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + uid: + description: A unique value that identifies this user + across time. If this user is deleted and another user + by the same name is added, they will have different + UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + policy: + description: Specifies the name of the policy. + type: string + resource: + description: ResourceSpec is the information to identify the generate + request. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + required: + - context + - policy + - resource + type: object + status: + description: Status contains statistics related to generate request. + properties: + generatedResources: + description: This will track the resources that are generated by the + generate Policy. Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + message: + description: Specifies request status message. + type: string + state: + description: State represents state of the generate request. + type: string + required: + - state + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: policies.kyverno.io +spec: + group: kyverno.io + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.background + name: Background + type: string + - jsonPath: .spec.validationFailureAction + name: Action + type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + priority: 1 + type: string + - jsonPath: .status.ready + name: Ready + type: string + name: v1 + schema: + openAPIV3Schema: + description: 'Policy declares validation, mutation, and generation behaviors + for matching resources. See: https://kyverno.io/docs/writing-policies/ for + more information.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines policy behaviors and contains one or more rules. + properties: + background: + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). + type: boolean + failurePolicy: + description: FailurePolicy defines how unrecognized errors from the + admission endpoint are handled. Rules within the same policy share + the same failure behavior. Allowed values are Ignore or Fail. Defaults + to Fail. + enum: + - Ignore + - Fail + type: string + generateExistingOnPolicyUpdate: + description: GenerateExistingOnPolicyUpdate controls wether to trigger + generate rule in existing resources If is set to "true" generate + rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. + type: boolean + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if a mutateExisting + policy is applied on policy events. Default value is "false". + type: boolean + rules: + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. + items: + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. + properties: + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes + API server. The JSON data retrieved is stored in the + context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the API server. For example a JMESPath + of "items | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in + the HTTP GET request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct + returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON + object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + data: + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + key: + description: Key is an optional name of the field within + 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available + under 'images.' in the context. If this field + is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should be + slash-separated. Each slash-separated key must be + a valid YAML key or a wildcard '*'. Wildcard keys + are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This is + useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to + ImageExtractorConfigs. This config is only valid for verifyImages + rules. + type: object + match: + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request + to the Kubernetes API server. The JSON data + retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the API + server. For example a JMESPath of "items + | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET request to the + Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge + patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 + JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under + an `any` or `all` statement. A direct list of conditions + (without `any` or `all` statements) is also supported + for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request + to the Kubernetes API server. The JSON data + retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the API + server. For example a JMESPath of "items + | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET request to the + Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct + list of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use + the current list element as the scope for validation. + Defaults to "true" if not specified. When set to + "false", "request.object" is used as the validation + scope within the foreach block to allow referencing + other elements in the subtree. + type: boolean + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated to + include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions + used for keyless signing. Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. + Every specified key-value pair must exist and match + in the verified payload. The payload may contain other + key-value pairs. Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: Attestations are optional checks for signed + in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. + Kyverno fetches signed attestations from the OCI registry + and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto + Statements that are used to verify the image. See + https://github.com/in-toto/attestation. Kyverno fetches + signed attestations from the OCI registry and decodes + them into a list of Statements. + properties: + conditions: + description: Conditions are used to verify attributes + within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there + are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions + wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one + of its sub-conditions passes. AllConditions + get fulfilled only when all of its sub-conditions + pass. + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: PredicateType defines the type of Predicate + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is null, + all entries must match (a logical AND). If the + count is 1, at least one entry must match (a logical + OR). If the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. + An attestor can be a static key, attributes for + keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other key-value + pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of match + authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional + PEM encoded set of certificates used + to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked + and a root certificate chain is expected + instead. If an empty object is provided + the public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots are + used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one or more public + keys + properties: + publicKeys: + description: Keys is a set of X.509 public + keys used to verify image signatures. + The keys can be directly specified or + can be a variable reference to a key + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) within + the set of attestors and the count is + applied across the keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If the value is nil, Rekor is not checked. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If specified + Repository will override other OCI image + repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: 'Image is the image name consisting of the + registry address, repository, image, and tag. Wildcards + (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. + Deprecated. Use ImageReferences instead.' + type: string + imageReferences: + description: 'ImageReferences is a list of matching image + reference patterns. At least one pattern in the list + must match the image for the rule to apply. Each image + reference consists of a registry address (defaults to + docker.io), repository, image, and tag (defaults to + latest). Wildcards (''*'' and ''?'') are allowed. See: + https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + issuer: + description: Issuer is the certificate issuer used for + keyless signing. Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Key is the PEM encoded public key that the + image or attestation is signed with. Deprecated. Use + StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository + to use for image signatures and attestations that match + this rule. If specified Repository will override the + default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or + Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Roots is the PEM encoded Root certificate + chain used for keyless signing Deprecated. Use KeylessAttestor + instead. + type: string + subject: + description: Subject is the identity used for keyless + signing, for example an email address Deprecated. Use + KeylessAttestor instead. + type: string + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + type: object + type: array + schemaValidation: + description: SchemaValidation skips policy validation checks. Optional. + The default value is set to "true", it must be set to "false" to + disable the validation checks. + type: boolean + validationFailureAction: + description: ValidationFailureAction controls if a validation policy + rule failure should disallow the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. The default value is "audit". + enum: + - audit + - enforce + type: string + validationFailureActionOverrides: + description: ValidationFailureActionOverrides is a Cluster Policy + attribute that specifies ValidationFailureAction namespace-wise. + It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + type: string + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime information. Deprecated. Policy + metrics are available via the metrics endpoint + properties: + conditions: + description: Conditions is a list of conditions that apply to the + policy + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Ready indicates if the policy is ready to serve the admission + request. Deprecated in favor of Conditions + type: boolean + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: policyreports.wgpolicyk8s.io +spec: + group: wgpolicyk8s.io + names: + kind: PolicyReport + listKind: PolicyReportList + plural: policyreports + shortNames: + - polr + singular: policyreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: reportchangerequests.kyverno.io +spec: + group: kyverno.io + names: + kind: ReportChangeRequest + listKind: ReportChangeRequestList + plural: reportchangerequests + shortNames: + - rcr + singular: reportchangerequest + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ReportChangeRequest is the Schema for the ReportChangeRequests + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + labels: + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: updaterequests.kyverno.io +spec: + group: kyverno.io + names: + kind: UpdateRequest + listKind: UpdateRequestList + plural: updaterequests + shortNames: + - ur + singular: updaterequest + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequestStatus is a request to process mutate and generate + rules in background. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec is the information to identify the update request. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: DryRun indicates that modifications will + definitely not be persisted for this request. Defaults + to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: Name is the name of the object as presented + in the request. On a CREATE operation, the client may + omit name and rely on the server to generate the name. If + that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: Operation is the operation being performed. + This may be different than the operation requested. + e.g. a patch can result in either a CREATE or UPDATE + Operation. + type: string + options: + description: Options is the operation option structure + of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` + or `meta.k8s.io/v1.CreateOptions`. This may be different + than the options the caller provided. e.g. for a patch + request the performed Operation might be a CREATE, in + which case the Options will a `meta.k8s.io/v1.CreateOptions` + even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: "RequestKind is the fully-qualified type + of the original API request (for example, v1.Pod or + autoscaling.v1.Scale). If this is specified and differs + from the value in \"kind\", an equivalent match and + conversion was performed. \n For example, if deployments + can be modified via apps/v1 and apps/v1beta1, and a + webhook registered a rule of `apiGroups:[\"apps\"], + apiVersions:[\"v1\"], resources: [\"deployments\"]` + and `matchPolicy: Equivalent`, an API request to apps/v1beta1 + deployments would be converted and sent to the webhook + with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` + (matching the rule the webhook registered for), and + `requestKind: {group:\"apps\", version:\"v1beta1\", + kind:\"Deployment\"}` (indicating the kind of the original + API request). \n See documentation for the \"matchPolicy\" + field in the webhook configuration type for more details." + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: "RequestResource is the fully-qualified resource + of the original API request (for example, v1.pods). + If this is specified and differs from the value in \"resource\", + an equivalent match and conversion was performed. \n + For example, if deployments can be modified via apps/v1 + and apps/v1beta1, and a webhook registered a rule of + `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: + [\"deployments\"]` and `matchPolicy: Equivalent`, an + API request to apps/v1beta1 deployments would be converted + and sent to the webhook with `resource: {group:\"apps\", + version:\"v1\", resource:\"deployments\"}` (matching + the resource the webhook registered for), and `requestResource: + {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` + (indicating the resource of the original API request). + \n See documentation for the \"matchPolicy\" field in + the webhook configuration type." + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: RequestSubResource is the name of the subresource + of the original API request, if any (for example, "status" + or "scale") If this is specified and differs from the + value in "subResource", an equivalent match and conversion + was performed. See documentation for the "matchPolicy" + field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: UID is an identifier for the individual request/response. + It allows us to distinguish instances of requests which + are otherwise identical (parallel requests, requests + when earlier requests did not modify etc) The UID is + meant to track the round trip (request/response) between + the KAS and the WebHook, not the user request. It is + suitable for correlating log entries between the webhook + and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + uid: + description: A unique value that identifies this user + across time. If this user is deleted and another + user by the same name is added, they will have different + UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + uid: + description: A unique value that identifies this user + across time. If this user is deleted and another user + by the same name is added, they will have different + UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the update + request. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + required: + - context + - policy + - resource + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: This will track the resources that are updated by the + generate Policy. Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + type: object + type: array + handler: + description: Handler represents the instance ID that handles the UR + type: string + message: + description: Specifies request status message. + type: string + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:leaderelection + namespace: kyverno +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:admin-generaterequest +rules: +- apiGroups: + - kyverno.io + resources: + - generaterequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:admin-policies +rules: +- apiGroups: + - kyverno.io + resources: + - policies + - clusterpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:admin-policyreport +rules: +- apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - clusterpolicyreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:admin-reportchangerequest +rules: +- apiGroups: + - kyverno.io + resources: + - reportchangerequests + - clusterreportchangerequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:events +rules: +- apiGroups: + - '*' + resources: + - events + verbs: + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:generate +rules: +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + - networkpolicies + verbs: + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + - configmaps + - secrets + - resourcequotas + - limitranges + verbs: + - create + - update + - patch + - delete +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:policies +rules: +- apiGroups: + - kyverno.io + resources: + - policies + - policies/status + - clusterpolicies + - clusterpolicies/status + - generaterequests + - generaterequests/status + - updaterequests + - updaterequests/status + - reportchangerequests + - reportchangerequests/status + - clusterreportchangerequests + - clusterreportchangerequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection +- apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - policyreports/status + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:userinfo +rules: +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:view +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:webhook +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:leaderelection + namespace: kyverno +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kyverno:leaderelection +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:events +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:events +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:generate +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generate +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:policies +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policies +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:userinfo +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:view +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:view +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno:webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:webhook +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: v1 +data: + excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler + generateSuccessEvents: "false" + resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][*,kyverno,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]' + webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]' +kind: ConfigMap +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno + namespace: kyverno +--- +apiVersion: v1 +data: + metricsRefreshInterval: 24h + namespaces: '{"exclude":[],"include":[]}' +kind: ConfigMap +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno-metrics + namespace: kyverno +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno-svc + namespace: kyverno +spec: + ports: + - name: https + port: 443 + targetPort: https + selector: + app: kyverno + app.kubernetes.io/name: kyverno +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno-svc-metrics + namespace: kyverno +spec: + ports: + - name: metrics-port + port: 8000 + targetPort: metrics-port + selector: + app: kyverno + app.kubernetes.io/name: kyverno +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + name: kyverno + namespace: kyverno +spec: + replicas: 1 + selector: + matchLabels: + app: kyverno + app.kubernetes.io/name: kyverno + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + template: + metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.7.3 + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - kyverno + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - -v=2 + - --autogenInternals=false + env: + - name: INIT_CONFIG + value: kyverno + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_SVC + value: kyverno-svc + - name: TUF_ROOT + value: /.sigstore + image: ghcr.io/kyverno/kyverno:v1.7.3 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 2 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: kyverno + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics-port + protocol: TCP + readinessProbe: + failureThreshold: 4 + httpGet: + path: /health/readiness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + memory: 384Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /.sigstore + name: sigstore + initContainers: + - env: + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/kyverno/kyvernopre:v1.7.3 + imagePullPolicy: Always + name: kyverno-pre + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + securityContext: + runAsNonRoot: true + serviceAccountName: kyverno-service-account + volumes: + - emptyDir: {} + name: sigstore diff --git a/scenarios/roles/build-a-backdoor/files/manifests/02-netpol-policies.yaml b/scenarios/roles/build-a-backdoor/files/manifests/02-netpol-policies.yaml new file mode 100644 index 00000000..297faf8a --- /dev/null +++ b/scenarios/roles/build-a-backdoor/files/manifests/02-netpol-policies.yaml @@ -0,0 +1,77 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-networkpolicy-empty-podselector + annotations: + policies.kyverno.io/title: Restrict NetworkPolicy with Empty podSelector + policies.kyverno.io/category: Other, Multi-Tenancy + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: NetworkPolicy + policies.kyverno.io/description: >- + By default, all pods in a Kubernetes cluster are allowed to communicate with each other, and all + network traffic is unencrypted. It is recommended to not use an empty podSelector in order to + more closely control the necessary traffic flows. This policy requires that all NetworkPolicies + other than that of `default-deny` not use an empty podSelector. +spec: + validationFailureAction: enforce + background: true + rules: + - name: empty-podselector + match: + any: + - resources: + kinds: + - NetworkPolicy + exclude: + any: + - resources: + kinds: + - NetworkPolicy + names: + - default-deny + validate: + message: "SECOPS ALERT: NetworkPolicies must not use an empty podSelector." + deny: + conditions: + any: + - key: "{{request.object.spec.podSelector.keys(@) | length(@)}}" + operator: Equals + value: 0 +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-networkpolicy-allow-all-ingress + annotations: + policies.kyverno.io/title: Restrict NetworkPolicy with Allow All Ingress + policies.kyverno.io/category: Other, Multi-Tenancy + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: NetworkPolicy + policies.kyverno.io/description: >- + By default, all pods in a Kubernetes cluster are allowed to communicate with each other, and all + network traffic is unencrypted. This custom policy prevents allow any ingress rules. +spec: + validationFailureAction: enforce + background: true + rules: + - name: restrict-allow-all-ingress + match: + any: + - resources: + kinds: + - NetworkPolicy + exclude: + any: + - resources: + kinds: + - NetworkPolicy + names: + - default-deny + validate: + message: "SECOPS ALERT: NetworkPolicies must not use an allow all ingress." + deny: + conditions: + any: + - key: "{{request.object.spec.ingress[].ports[].keys(@) | length(@) }}" + operator: Equals + value: 0 \ No newline at end of file diff --git a/scenarios/roles/build-a-backdoor/files/manifests/03-nodeport-policy.yaml b/scenarios/roles/build-a-backdoor/files/manifests/03-nodeport-policy.yaml new file mode 100644 index 00000000..96a66f74 --- /dev/null +++ b/scenarios/roles/build-a-backdoor/files/manifests/03-nodeport-policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-nodeport + annotations: + policies.kyverno.io/title: Disallow NodePort + policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Service + policies.kyverno.io/description: >- + A Kubernetes Service of type NodePort uses a host port to receive traffic from + any source. A NetworkPolicy cannot be used to control traffic to host ports. + Although NodePort Services can be useful, their use must be limited to Services + with additional upstream security checks. This policy validates that any new Services + do not use the `NodePort` type. +spec: + validationFailureAction: enforce + background: true + rules: + - name: validate-nodeport + match: + any: + - resources: + kinds: + - Service + namespaces: + - ii-prod + validate: + message: "SECOPS ALERT: Services of type NodePort are restricted." + pattern: + spec: + =(type): "!NodePort" \ No newline at end of file diff --git a/scenarios/roles/build-a-backdoor/files/manifests/04-ingress-policies.yaml b/scenarios/roles/build-a-backdoor/files/manifests/04-ingress-policies.yaml new file mode 100644 index 00000000..1e716304 --- /dev/null +++ b/scenarios/roles/build-a-backdoor/files/manifests/04-ingress-policies.yaml @@ -0,0 +1,205 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-ingress-nginx-custom-snippets + annotations: + policies.kyverno.io/title: Disallow Custom Snippets + policies.kyverno.io/category: Security, NGINX Ingress + policies.kyverno.io/subject: ConfigMap, Ingress + policies.kyverno.io/minversion: "1.6.0" + kyverno.io/kyverno-version: "1.6.0" + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + Users that can create or update ingress objects can use the custom snippets + feature to obtain all secrets in the cluster (CVE-2021-25742). This policy + disables allow-snippet-annotations in the ingress-nginx configuration and + blocks *-snippet annotations on an Ingress. + See: https://github.com/kubernetes/ingress-nginx/issues/7837 +spec: + validationFailureAction: enforce + rules: + - name: check-config-map + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: "ingress-nginx allow-snippet-annotations must be set to false" + pattern: + =(data): + =(allow-snippet-annotations) : "false" + - name: check-ingress-annotations + match: + any: + - resources: + kinds: + - networking.k8s.io/v1/Ingress + validate: + message: "SECOPS ALERT: Blocking attempted Nginx exploit" + pattern: + metadata: + =(annotations): + X(*-snippet): "?*" +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-annotations + annotations: + policies.kyverno.io/title: Restrict NGINX Ingress annotation values + policies.kyverno.io/category: Security, NGINX Ingress + policies.kyverno.io/severity: high + policies.kyverno.io/subject: Ingress + policies.kyverno.io/minversion: "1.6.0" + kyverno.io/kyverno-version: "1.6.0" + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. + See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. + This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the + "annotation-value-word-blocklist" configuration setting is also recommended. + Please refer to the CVE for details. +spec: + validationFailureAction: enforce + rules: + - name: check-ingress + match: + any: + - resources: + kinds: + - networking.k8s.io/v1/Ingress + validate: + message: "SECOPS ALERT: Blocking attempted Nginx exploit" + deny: + conditions: + any: + - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*alias\\s*.*;', @)}}" + operator: AnyIn + value: [true] + - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*root\\s*.*;', @)}}" + operator: AnyIn + value: [true] + - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/etc/(passwd|shadow|group|nginx|ingress-controller)', @)}}" + operator: AnyIn + value: [true] + - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/var/run/secrets', @)}}" + operator: AnyIn + value: [true] + - key: "{{request.object.metadata.annotations.values(@)[].regex_match('.*_by_lua.*', @)}}" + operator: AnyIn + value: [true] +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-ingress-paths + annotations: + policies.kyverno.io/title: Restrict NGINX Ingress path values + policies.kyverno.io/category: Security, NGINX Ingress + policies.kyverno.io/severity: high + policies.kyverno.io/subject: Ingress + policies.kyverno.io/minversion: "1.6.0" + kyverno.io/kyverno-version: "1.6.0" + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. + Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. + Please refer to the CVE for details. +spec: + validationFailureAction: enforce + rules: + - name: check-paths + match: + any: + - resources: + kinds: + - networking.k8s.io/v1/Ingress + validate: + message: "SECOPS ALERT: Blocking attempted Nginx exploit" + deny: + conditions: + any: + - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc') }}" + operator: AnyIn + value: [true] + - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/secrets') }}" + operator: AnyIn + value: [true] + - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/root') }}" + operator: AnyIn + value: [true] + - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/kubernetes/serviceaccount') }}" + operator: AnyIn + value: [true] + - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc/kubernetes/admin.conf') }}" + operator: AnyIn + value: [true] +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-ingress-classes + annotations: + policies.kyverno.io/title: Restrict Ingress Classes + policies.kyverno.io/category: Sample + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Ingress + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + Ingress classes should only be allowed which match up to deployed Ingress controllers + in the cluster. Allowing users to define classes which cannot be satisfied by a deployed + Ingress controller can result in either no or undesired functionality. This policy checks + Ingress resources and only allows those which define `HAProxy` or `nginx` in the respective + annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass + resource. +spec: + validationFailureAction: enforce + background: true + rules: + - name: validate-ingress + match: + any: + - resources: + kinds: + - Ingress + validate: + message: "SECOPS ALERT: Unknown Ingress Class defined" + pattern: + metadata: + annotations: + kubernetes.io/ingress.class: "nginx" +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-web-port-removal + annotations: + policies.kyverno.io/title: Restrict Web Port Removal + policies.kyverno.io/category: Sample + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Ingress + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + The Ingress Web Port must not be removed to persist the service. +spec: + validationFailureAction: enforce + background: true + rules: + - name: restrict-web-port-removal + match: + any: + - resources: + kinds: + - Ingress + validate: + message: "SECOPS ALERT: Removal of the Web Port is restricted" + pattern: + spec: + rules: + - http: + ^(paths): + - backend: + service: + port: + number: 80 \ No newline at end of file diff --git a/scenarios/roles/build-a-backdoor/files/manifests/05-nginx-ingress-controllers.yaml b/scenarios/roles/build-a-backdoor/files/manifests/05-nginx-ingress-controllers.yaml new file mode 100644 index 00000000..9b861941 --- /dev/null +++ b/scenarios/roles/build-a-backdoor/files/manifests/05-nginx-ingress-controllers.yaml @@ -0,0 +1,391 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 + name: ingress-nginx + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resourceNames: + - ingress-nginx-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: NodePort +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 + spec: + containers: + - args: + - /nginx-ingress-controller + - --election-id=ingress-nginx-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.7.0 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- \ No newline at end of file diff --git a/scenarios/roles/build-a-backdoor/files/manifests/06-scenario-resources.yaml b/scenarios/roles/build-a-backdoor/files/manifests/06-scenario-resources.yaml new file mode 100644 index 00000000..f7a9fb05 --- /dev/null +++ b/scenarios/roles/build-a-backdoor/files/manifests/06-scenario-resources.yaml @@ -0,0 +1,284 @@ +## Attach Container +apiVersion: v1 +kind: Namespace +metadata: + name: ii-prod +--- +apiVersion: v1 +kind: Pod +metadata: + name: ii-management-services + namespace: ii-prod + labels: + app: ii +spec: + containers: + - name: ii-website + image: controlplaneoffsec/build-a-backdoor:ii-app + ports: + - containerPort: 8080 + name: web + - containerPort: 5724 + name: ops-mgmt + env: + - name: AUTH_USERID + valueFrom: + secretKeyRef: + name: ops-mgmt + key: username + - name: AUTH_PASSWORD + valueFrom: + secretKeyRef: + name: ops-mgmt + key: password + securityContext: + allowPrivilegeEscalation: false + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: ii-prod-mgmt-service + namespace: ii-prod +spec: + selector: + app: ii + ports: + - name: web + port: 80 + targetPort: 8080 + protocol: TCP +--- +apiVersion: v1 +kind: Secret +metadata: + name: ops-mgmt + namespace: ii-prod +type: kubernetes.io/basic-auth +stringData: + username: system + password: system +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ii-prod-mgmt-np + namespace: ii-prod +spec: + podSelector: + matchLabels: + app: ii + policyTypes: + - Ingress + ingress: + - ports: + - port: 8080 +--- +## JumpBox Resources +apiVersion: v1 +kind: Namespace +metadata: + name: dmz +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sre + namespace: dmz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ii-prod-auth-access + namespace: ii-prod +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + - endpoints + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - patch + - update +- apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + - ingresses + verbs: + - get + - list + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ii-prod-auth-rb + namespace: ii-prod +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ii-prod-auth-access +subjects: +- kind: ServiceAccount + name: sre + namespace: dmz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ingress-nginx-auth-access + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ingress-nginx-auth-rb + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-auth-access +subjects: +- kind: ServiceAccount + name: sre + namespace: dmz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cr-read +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-ns-read-crb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cr-read +subjects: +- kind: ServiceAccount + name: sre + namespace: dmz +--- +apiVersion: v1 +kind: Pod +metadata: + name: jumpbox-terminal + namespace: dmz +spec: + serviceAccountName: sre + containers: + # basic container image + - image: controlplaneoffsec/build-a-backdoor:ii-jumpbox + command: ["sleep", "2d"] + name: jumpbox-terminal + securityContext: + allowPrivilegeEscalation: false + restartPolicy: Always +--- +## Misconfigured helm chart causes incorrect ns deployment +apiVersion: v1 +kind: Namespace +metadata: + name: ii-pord +--- +apiVersion: v1 +kind: Service +metadata: + name: ii-pord-mgmt-service + namespace: ii-pord +spec: + type: NodePort + selector: + app: ii + ports: + - protocol: TCP + port: 80 + targetPort: 8080 + nodePort: 30080 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ii-pord-mgmt-np + namespace: ii-pord +spec: + podSelector: + matchLabels: + app: ii + policyTypes: + - Ingress + ingress: + - ports: + - port: 8080 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ii-pord-auth-access + namespace: ii-pord +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - pods + - services + verbs: + - get + - list + - watch +- apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + - ingresses + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ii-pord-auth-rb + namespace: ii-pord +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ii-pord-auth-access +subjects: +- kind: ServiceAccount + name: sre + namespace: dmz \ No newline at end of file diff --git a/scenarios/roles/build-a-backdoor/files/manifests/07-ingress.yaml b/scenarios/roles/build-a-backdoor/files/manifests/07-ingress.yaml new file mode 100644 index 00000000..65d3f1cd --- /dev/null +++ b/scenarios/roles/build-a-backdoor/files/manifests/07-ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress-ii-mgmt + namespace: ii-prod + annotations: + kubernetes.io/ingress.class: nginx +spec: + rules: + - http: + paths: + - path: "/" + pathType: Prefix + backend: + service: + name: ii-prod-mgmt-service + port: + number: 80 diff --git a/scenarios/roles/build-a-backdoor/files/scripts/internal.sh b/scenarios/roles/build-a-backdoor/files/scripts/internal.sh new file mode 100644 index 00000000..9bb36c43 --- /dev/null +++ b/scenarios/roles/build-a-backdoor/files/scripts/internal.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# store custom psa configuration on master node +cat <<"EOF" > /home/ubuntu/hashjacker.yaml +apiVersion: v1 +kind: Pod +metadata: + name: ii-management-services + namespace: ii-pord + labels: + app: ii +spec: + containers: + - name: hashjacker + image: controlplaneoffsec/build-a-backdoor:hashjacker + ports: + - containerPort: 8080 + env: + - name: P + value: "ha5hjackk3y4d3crypt1ngs3cret1mg!" + restartPolicy: Always +EOF + +# Checks whether backdoor is accessible externally +cat <<- "EOF" > /home/ubuntu/backdoor-checker.sh +#!/bin/bash + +set -Eeuo pipefail + +function ING_IP { + (kubectl get ing -n ii-prod -ojson | jq -r .items[].status.loadBalancer.ingress[].ip) +} + +function NODE_PORT { + (kubectl get svc ingress-nginx-controller -n ingress-nginx -ojson | jq '.spec.ports[] | select(.port==80)' | jq .nodePort) +} + +function ING_PATH { + (kubectl get ing ingress-ii-mgmt -n ii-prod -ojson | jq -r '.spec.rules[].http.paths[] | select(.backend.service.port.number==5724)' | jq -r .path) +} + +function SECRET { + (kubectl get secret flag -n ii-prod) +} + +function POD { + (kubectl get pods ii-management-services -n ii-pord) +} + +SERVICE_MSG="Vulnerable Operational Port is Unavailable" + +if [[ $(curl -L -u system:3f89a11b3fee0f6918c731702edb7244 http://$(ING_IP):$(NODE_PORT)/$(ING_PATH)) == "SYSTEM OPERATIONS" ]]; +then + if [[ $(SECRET) == 'Error from server (NotFound): secrets "flag" not found' && $(POD) == 'Error from server (NotFound): pods "ii-management-services" not found' ]]; + then + echo "Secret and Pod exist" + exit 0 + else + (kubectl create secret generic flag --from-literal=flag=flag_ctf{BACKDOOR_OPEN_HASHJACKER_DEPLOYED_IN_PORD} --namespace=ii-prod) + (kubectl apply -f /home/ubuntu/hashjacker.yaml) + fi +else + echo "$SERVICE_MSG" +fi +EOF + +# configure cron daemon +chmod +x /home/ubuntu/backdoor-checker.sh +cat <<-"EOF" > /etc/cron.d/backdoor-checker +*/1 * * * * ubuntu /home/ubuntu/backdoor-checker.sh +EOF diff --git a/scenarios/roles/build-a-backdoor/tasks/main.yaml b/scenarios/roles/build-a-backdoor/tasks/main.yaml new file mode 100644 index 00000000..5ed8412e --- /dev/null +++ b/scenarios/roles/build-a-backdoor/tasks/main.yaml @@ -0,0 +1,53 @@ +--- + +- name: Install calico network + ansible.builtin.include_role: + name: cluster-network + tasks_from: calico + +- name: Apply K8s manifests + kubernetes.core.k8s: + definition: "{{ lookup('ansible.builtin.file', item) | from_yaml_all }}" + state: "{{ state }}" + loop: + - manifests/01-kyverno-install.yaml + - manifests/02-netpol-policies.yaml + - manifests/03-nodeport-policy.yaml + - manifests/04-ingress-policies.yaml + - manifests/05-nginx-ingress-controllers.yaml + - manifests/06-scenario-resources.yaml + - manifests/07-ingress.yaml + become: no + when: "'bastion' in inventory_hostname" + +- name: Hashjack + ansible.builtin.shell: + cmd: "{{ lookup('ansible.builtin.file', 'scripts/internal.sh') }}" + args: + executable: /bin/bash + when: "state == 'present' and 'bastion' in inventory_hostname" + +- name: Remove hashjack + ansible.builtin.file: + path: "{{ item }}" + state: "{{ state }}" + loop: + - /home/ubuntu/hashjacker.yaml + - /home/ubuntu/backdoor-checker.sh + - /etc/cron.d/backdoor-checker + when: "state == 'absent' and 'bastion' in inventory_hostname" + +- name: Set starting point + ansible.builtin.include_role: + name: starting-point + tasks_from: pod + vars: + namespace: dmz + pod: jumpbox-terminal + +- name: Copy challenge + ansible.builtin.include_role: + name: starting-point + tasks_from: challenge + vars: + challenge_content: "{{ lookup('ansible.builtin.file', 'files/challenge.txt') }}" diff --git a/scenarios/roles/socat/defaults/main.yaml b/scenarios/roles/socat/defaults/main.yaml new file mode 100644 index 00000000..36fd76a2 --- /dev/null +++ b/scenarios/roles/socat/defaults/main.yaml @@ -0,0 +1,3 @@ +socat_listen_port: 8080 +socat_target_ip: localhost +socat_target_port: 30080 diff --git a/scenarios/roles/socat/tasks/main.yaml b/scenarios/roles/socat/tasks/main.yaml new file mode 100644 index 00000000..a1c95ef4 --- /dev/null +++ b/scenarios/roles/socat/tasks/main.yaml @@ -0,0 +1,30 @@ +--- + +- name: Configure socat service + ansible.builtin.template: + src: socat.service + dest: /etc/systemd/system/socat.service + mode: 0755 + when: "state == 'present' and 'bastion' in inventory_hostname" + +- name: Start socat service + ansible.builtin.systemd_service: + name: socat + state: started + enabled: yes + daemon_reload: yes + when: "state == 'present' and 'bastion' in inventory_hostname" + +- name: Stop socat service + ansible.builtin.systemd_service: + name: socat + state: stopped + enabled: no + daemon_reload: yes + when: "state == 'absent' and 'bastion' in inventory_hostname" + +- name: Remove socat service + ansible.builtin.file: + path: /etc/systemd/system/socat.service + state: "{{ state }}" + when: "state == 'absent' and 'bastion' in inventory_hostname" diff --git a/scenarios/roles/socat/templates/socat.service b/scenarios/roles/socat/templates/socat.service new file mode 100644 index 00000000..11065b7f --- /dev/null +++ b/scenarios/roles/socat/templates/socat.service @@ -0,0 +1,12 @@ +[Unit] +Description=Socat Forward + +[Service] +Type=simple +ExecStartPre=-killall -9 -q socat +ExecStart=socat TCP4-LISTEN:{{ socat_listen_port }},reuseaddr,fork TCP4:{{ socat_target_ip }}:{{ socat_target_port }} +Restart=always +RestartSec=10 + +[Install] +WantedBy=multi-user.target