From 71537505fe44c063fa27be12bd2b3fa837c38fd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Wed, 24 Jul 2024 09:50:53 +0200 Subject: [PATCH] feat: Update reference/CRDs.md for matchConditions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit File taken from kubewarden-controller/docs/crds/CRD-docs-for-docs-repo.md Signed-off-by: VĂ­ctor Cuadrado Juan --- docs/reference/CRDs.md | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/docs/reference/CRDs.md b/docs/reference/CRDs.md index b9ba9333cc..9caebbf2ea 100644 --- a/docs/reference/CRDs.md +++ b/docs/reference/CRDs.md @@ -29,15 +29,12 @@ Be careful Does yarn build work locally? # API Reference ## Packages - - [policies.kubewarden.io/v1](#policieskubewardeniov1) - [policies.kubewarden.io/v1alpha2](#policieskubewardeniov1alpha2) ## policies.kubewarden.io/v1 - - Package v1 contains API Schema definitions for the policies v1 API group ### Resource Types @@ -71,7 +68,7 @@ _Appears in:_ -AdmissionPolicyList contains a list of AdmissionPolicy +AdmissionPolicyList contains a list of AdmissionPolicy. @@ -87,7 +84,7 @@ AdmissionPolicyList contains a list of AdmissionPolicy -AdmissionPolicySpec defines the desired state of AdmissionPolicy +AdmissionPolicySpec defines the desired state of AdmissionPolicy. _Appears in:_ - [AdmissionPolicy](#admissionpolicy) @@ -103,6 +100,7 @@ _Appears in:_ | `mutating` _boolean_ | Mutating indicates whether a policy has the ability to mutate incoming requests or not. | | `backgroundAudit` _boolean_ | BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true". | | `matchPolicy` _[MatchPolicyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchpolicytype-v1-admissionregistration)_ | matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". Defaults to "Equivalent" | +| `matchConditions` _[MatchCondition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchcondition-v1-admissionregistration) array_ | MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped Only available if the feature gate AdmissionWebhookMatchConditions is enabled. | | `objectSelector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#labelselector-v1-meta)_ | ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. | | `sideEffects` _[SideEffectClass](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#sideeffectclass-v1-admissionregistration)_ | SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. | | `timeoutSeconds` _integer_ | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds. | @@ -145,7 +143,7 @@ ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy -ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy +ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy. _Appears in:_ - [ClusterAdmissionPolicy](#clusteradmissionpolicy) @@ -161,6 +159,7 @@ _Appears in:_ | `mutating` _boolean_ | Mutating indicates whether a policy has the ability to mutate incoming requests or not. | | `backgroundAudit` _boolean_ | BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true". | | `matchPolicy` _[MatchPolicyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchpolicytype-v1-admissionregistration)_ | matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". Defaults to "Equivalent" | +| `matchConditions` _[MatchCondition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchcondition-v1-admissionregistration) array_ | MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped Only available if the feature gate AdmissionWebhookMatchConditions is enabled. | | `objectSelector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#labelselector-v1-meta)_ | ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. | | `sideEffects` _[SideEffectClass](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#sideeffectclass-v1-admissionregistration)_ | SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. | | `timeoutSeconds` _integer_ | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds. | @@ -172,7 +171,7 @@ _Appears in:_ -ContextAwareResource identifies a Kubernetes resource +ContextAwareResource identifies a Kubernetes resource. _Appears in:_ - [ClusterAdmissionPolicySpec](#clusteradmissionpolicyspec) @@ -213,7 +212,7 @@ _Appears in:_ -PolicyServer is the Schema for the policyservers API +PolicyServer is the Schema for the policyservers API. _Appears in:_ - [PolicyServerList](#policyserverlist) @@ -230,7 +229,7 @@ _Appears in:_ -PolicyServerList contains a list of PolicyServer +PolicyServerList contains a list of PolicyServer. @@ -246,7 +245,7 @@ PolicyServerList contains a list of PolicyServer -PolicyServerSecurity defines securityContext configuration to be used in the Policy Server workload +PolicyServerSecurity defines securityContext configuration to be used in the Policy Server workload. _Appears in:_ - [PolicyServerSpec](#policyserverspec) @@ -261,7 +260,7 @@ _Appears in:_ -PolicyServerSpec defines the desired state of PolicyServer +PolicyServerSpec defines the desired state of PolicyServer. _Appears in:_ - [PolicyServer](#policyserver) @@ -270,8 +269,8 @@ _Appears in:_ | --- | --- | | `image` _string_ | Docker image name. | | `replicas` _integer_ | Replicas is the number of desired replicas. | -| `minAvailable` _IntOrString_ | Number of policy server replicas that must be still available after the eviction | -| `maxUnavailable` _IntOrString_ | Number of policy server replicas that can be unavailable after the eviction | +| `minAvailable` _IntOrString_ | Number of policy server replicas that must be still available after the eviction. The value can be an absolute number or a percentage. Only one of MinAvailable or Max MaxUnavailable can be set. | +| `maxUnavailable` _IntOrString_ | Number of policy server replicas that can be unavailable after the eviction. The value can be an absolute number or a percentage. Only one of MinAvailable or Max MaxUnavailable can be set. | | `annotations` _object (keys:string, values:string)_ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations | | `env` _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#envvar-v1-core) array_ | List of environment variables to set in the container. | | `serviceAccountName` _string_ | Name of the service account associated with the policy server. Namespace service account will be used if not specified. | @@ -283,6 +282,7 @@ _Appears in:_ | `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#affinity-v1-core)_ | Affinity rules for the associated Policy Server pods. | | `limits` _object (keys:[ResourceName](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcename-v1-core), values:Quantity)_ | Limits describes the maximum amount of compute resources allowed. | | `requests` _object (keys:[ResourceName](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcename-v1-core), values:Quantity)_ | Requests describes the minimum amount of compute resources required. If Request is omitted for, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value | +| `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#toleration-v1-core) array_ | Tolerations describe the policy server pod's tolerations. It can be used to ensure that the policy server pod is not scheduled onto a node with a taint. | @@ -308,6 +308,7 @@ _Appears in:_ | `mutating` _boolean_ | Mutating indicates whether a policy has the ability to mutate incoming requests or not. | | `backgroundAudit` _boolean_ | BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true". | | `matchPolicy` _[MatchPolicyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchpolicytype-v1-admissionregistration)_ | matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". Defaults to "Equivalent" | +| `matchConditions` _[MatchCondition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchcondition-v1-admissionregistration) array_ | MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped Only available if the feature gate AdmissionWebhookMatchConditions is enabled. | | `objectSelector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#labelselector-v1-meta)_ | ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. | | `sideEffects` _[SideEffectClass](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#sideeffectclass-v1-admissionregistration)_ | SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. | | `timeoutSeconds` _integer_ | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds. | @@ -362,7 +363,7 @@ _Appears in:_ -AdmissionPolicyList contains a list of AdmissionPolicy +AdmissionPolicyList contains a list of AdmissionPolicy. @@ -378,7 +379,7 @@ AdmissionPolicyList contains a list of AdmissionPolicy -AdmissionPolicySpec defines the desired state of AdmissionPolicy +AdmissionPolicySpec defines the desired state of AdmissionPolicy. _Appears in:_ - [AdmissionPolicy](#admissionpolicy) @@ -435,7 +436,7 @@ ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy -ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy +ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy. _Appears in:_ - [ClusterAdmissionPolicy](#clusteradmissionpolicy) @@ -486,7 +487,7 @@ _Appears in:_ -PolicyServer is the Schema for the policyservers API +PolicyServer is the Schema for the policyservers API. _Appears in:_ - [PolicyServerList](#policyserverlist) @@ -503,7 +504,7 @@ _Appears in:_ -PolicyServerList contains a list of PolicyServer +PolicyServerList contains a list of PolicyServer. @@ -519,7 +520,7 @@ PolicyServerList contains a list of PolicyServer -PolicyServerSpec defines the desired state of PolicyServer +PolicyServerSpec defines the desired state of PolicyServer. _Appears in:_ - [PolicyServer](#policyserver) @@ -576,3 +577,4 @@ _Appears in:_ - [PolicyStatus](#policystatus) +