From 0d4c085d0f767cbf8239bd24a89a929199a3d947 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 23 May 2024 09:06:23 +0200 Subject: [PATCH] Helm chart minor release (#451) Signed-off-by: Flavio Castelli Co-authored-by: Kubewarden bot Co-authored-by: Flavio Castelli --- charts/kubewarden-controller/Chart.yaml | 8 +- charts/kubewarden-controller/values.yaml | 4 +- charts/kubewarden-crds/Chart.yaml | 6 +- .../templates/admissionpolicies.yaml | 671 ++++--- .../templates/clusteradmissionpolicies.yaml | 881 +++++---- .../templates/policyservers.yaml | 1749 ++++++++--------- charts/kubewarden-defaults/Chart.yaml | 8 +- charts/kubewarden-defaults/values.yaml | 2 +- 8 files changed, 1750 insertions(+), 1579 deletions(-) diff --git a/charts/kubewarden-controller/Chart.yaml b/charts/kubewarden-controller/Chart.yaml index 125105f1..90674a56 100644 --- a/charts/kubewarden-controller/Chart.yaml +++ b/charts/kubewarden-controller/Chart.yaml @@ -23,9 +23,9 @@ maintainers: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.0.11 +version: 2.0.12-rc1 # This is the version of Kubewarden stack -appVersion: v1.12.0 +appVersion: v1.13.0-rc1 annotations: # required ones: catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart @@ -35,14 +35,14 @@ annotations: catalog.cattle.io/display-name: Kubewarden # Only for Charts with custom UI catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation # optional ones: - catalog.cattle.io/auto-install: kubewarden-crds=1.5.0 + catalog.cattle.io/auto-install: kubewarden-crds=1.5.1-rc1 catalog.cattle.io/provides-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart. # The following two will create a UI warning if the request is not available in cluster # Assume the most standard setup for your chart. These can be strings with amounts, ie 64Mi or 2Gi are both valid. catalog.cattle.io/requests-cpu: "250m" catalog.cattle.io/requests-memory: "50Mi" catalog.cattle.io/rancher-version: ">= 2.6.0-0 <= 2.9.100-0" # Chart will only be available for users in the specified Rancher version(s), here its 2.5.0-2.5.99. This _must_ use build metadata or it won't work correctly for future RC's. - catalog.cattle.io/upstream-version: 2.0.11 + catalog.cattle.io/upstream-version: 2.0.12-rc1 # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template` # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`. catalog.cattle.io/type: cluster-tool diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index 76aba158..5f18e349 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -100,7 +100,7 @@ image: # controller image to be used repository: "kubewarden/kubewarden-controller" # image tag - tag: v1.12.0 + tag: v1.13.0-rc1 pullPolicy: IfNotPresent preDeleteJob: image: @@ -156,7 +156,7 @@ auditScanner: # The registry is defined in the common.cattle.systemDefaultRegistry value # kubectl image to be used in the pre-delete helm hook repository: "kubewarden/audit-scanner" - tag: v1.12.0 + tag: v1.13.0-rc1 pullPolicy: IfNotPresent cronJob: schedule: "*/60 * * * *" # every 60 minutes diff --git a/charts/kubewarden-crds/Chart.yaml b/charts/kubewarden-crds/Chart.yaml index 310751fe..14edc7a3 100644 --- a/charts/kubewarden-crds/Chart.yaml +++ b/charts/kubewarden-crds/Chart.yaml @@ -22,9 +22,9 @@ keywords: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.5.0 +version: 1.5.1-rc1 # This is the version of Kubewarden stack -appVersion: v1.12.0 +appVersion: v1.13.0-rc1 annotations: # required ones: catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart @@ -33,7 +33,7 @@ annotations: catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation # optional ones: catalog.cattle.io/hidden: "true" # Hide specific charts. Only use on CRD charts. - catalog.cattle.io/upstream-version: 1.5.0 + catalog.cattle.io/upstream-version: 1.5.1-rc1 # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template` # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`. catalog.cattle.io/type: cluster-tool diff --git a/charts/kubewarden-crds/templates/admissionpolicies.yaml b/charts/kubewarden-crds/templates/admissionpolicies.yaml index 7d90fd89..df83f4c4 100644 --- a/charts/kubewarden-crds/templates/admissionpolicies.yaml +++ b/charts/kubewarden-crds/templates/admissionpolicies.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: admissionpolicies.policies.kubewarden.io spec: group: policies.kubewarden.io @@ -56,14 +55,19 @@ spec: description: AdmissionPolicy is the Schema for the admissionpolicies API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -72,92 +76,106 @@ spec: properties: backgroundAudit: default: true - description: BackgroundAudit indicates whether a policy should be - used or skipped when performing audit checks. If false, the policy - cannot produce meaningful evaluation results during audit checks - and will be skipped. The default is "true". + description: |- + BackgroundAudit indicates whether a policy should be used or skipped when + performing audit checks. If false, the policy cannot produce meaningful + evaluation results during audit checks and will be skipped. + The default is "true". type: boolean failurePolicy: - description: FailurePolicy defines how unrecognized errors and timeout - errors from the policy are handled. Allowed values are "Ignore" - or "Fail". * "Ignore" means that an error calling the webhook is - ignored and the API request is allowed to continue. * "Fail" means - that an error calling the webhook causes the admission to fail and - the API request to be rejected. The default behaviour is "Fail" + description: |- + FailurePolicy defines how unrecognized errors and timeout errors from the + policy are handled. Allowed values are "Ignore" or "Fail". + * "Ignore" means that an error calling the webhook is ignored and the API + request is allowed to continue. + * "Fail" means that an error calling the webhook causes the admission to + fail and the API request to be rejected. + The default behaviour is "Fail" type: string matchPolicy: - description: 'matchPolicy defines how the "rules" list is used to - match incoming requests. Allowed values are "Exact" or "Equivalent". -
  • Exact: match a request only if it exactly matches a specified - rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, - and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], - apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 - or extensions/v1beta1 would not be sent to the webhook.
  • - Equivalent: match a request if modifies a resource listed in rules, - even via another API group or version. For example, if deployments - can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], - resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 - would be converted to apps/v1 and sent to the webhook.
- Defaults to "Equivalent"' + description: |- + matchPolicy defines how the "rules" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". +
    +
  • + Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. +
    • +
  • + Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
    • +
+ Defaults to "Equivalent" type: string mode: default: protect - description: Mode defines the execution mode of this policy. Can be - set to either "protect" or "monitor". If it's empty, it is defaulted - to "protect". Transitioning this setting from "monitor" to "protect" - is allowed, but is disallowed to transition from "protect" to "monitor". - To perform this transition, the policy should be recreated in "monitor" - mode instead. + description: |- + Mode defines the execution mode of this policy. Can be set to + either "protect" or "monitor". If it's empty, it is defaulted to + "protect". + Transitioning this setting from "monitor" to "protect" is + allowed, but is disallowed to transition from "protect" to + "monitor". To perform this transition, the policy should be + recreated in "monitor" mode instead. enum: - protect - monitor type: string module: - description: Module is the location of the WASM module to be loaded. - Can be a local file (file://), a remote file served by an HTTP server + description: |- + Module is the location of the WASM module to be loaded. Can be a + local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible - registry (registry://). If prefix is missing, it will default to - registry:// and use that internally. + registry (registry://). + If prefix is missing, it will default to registry:// and use that + internally. type: string mutating: - description: Mutating indicates whether a policy has the ability to - mutate incoming requests or not. + description: |- + Mutating indicates whether a policy has the ability to mutate + incoming requests or not. type: boolean objectSelector: - description: ObjectSelector decides whether to run the webhook based - on if the object has matching labels. objectSelector is evaluated - against both the oldObject and newObject that would be sent to the - webhook, and is considered to match if either object matches the - selector. A null object (oldObject in the case of create, or newObject - in the case of delete) or an object that cannot have labels (like - a DeploymentRollback or a PodProxyOptions object) is not considered - to match. Use the object selector only if the webhook is opt-in, - because end users may skip the admission webhook by setting the - labels. Default to the empty LabelSelector, which matches everything. + description: |- + ObjectSelector decides whether to run the webhook based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the webhook, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -172,99 +190,117 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic policyServer: default: default description: PolicyServer identifies an existing PolicyServer resource. type: string rules: - description: Rules describes what operations on what resources/subresources - the webhook cares about. The webhook cares about an operation if - it matches _any_ Rule. + description: |- + Rules describes what operations on what resources/subresources the webhook cares about. + The webhook cares about an operation if it matches _any_ Rule. items: - description: RuleWithOperations is a tuple of Operations and Resources. - It is recommended to make sure that all the tuple expansions are - valid. + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of the - slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array x-kubernetes-list-type: atomic apiVersions: - description: APIVersions is the API versions the resources belong - to. '*' is all versions. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array x-kubernetes-list-type: atomic operations: - description: Operations is the operations the admission hook - cares about - CREATE, UPDATE, DELETE, CONNECT or * for all - of those operations and any future admission operations that - are added. If '*' is present, the length of the slice must - be one. Required. + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. items: description: OperationType specifies an operation for a request. type: string type: array x-kubernetes-list-type: atomic resources: - description: "Resources is a list of resources this rule applies - to. \n For example: 'pods' means pods. 'pods/log' means the - log subresource of pods. '*' means all resources, but not - subresources. 'pods/*' means all subresources of pods. '*/scale' - means all scale subresources. '*/*' means all resources and - their subresources. \n If wildcard is present, the validation - rule will ensure resources do not overlap with each other. - \n Depending on the enclosing object, subresources might not - be allowed. Required." + description: |- + Resources is a list of resources this rule applies to. + + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + + Depending on the enclosing object, subresources might not be allowed. + Required. items: type: string type: array x-kubernetes-list-type: atomic scope: - description: scope specifies the scope of this rule. Valid values - are "Cluster", "Namespaced", and "*" "Cluster" means that - only cluster-scoped resources will match this rule. Namespace - API objects are cluster-scoped. "Namespaced" means that only - namespaced resources will match this rule. "*" means that - there are no scope restrictions. Subresources match the scope - of their parent resource. Default is "*". + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". type: string type: object type: array settings: - description: 'Settings is a free-form object that contains the policy - configuration values. x-kubernetes-embedded-resource: false' + description: |- + Settings is a free-form object that contains the policy configuration + values. + x-kubernetes-embedded-resource: false nullable: true type: object x-kubernetes-preserve-unknown-fields: true sideEffects: - description: 'SideEffects states whether this webhook has side effects. - Acceptable values are: None, NoneOnDryRun (webhooks created via - v1beta1 may also specify Some or Unknown). Webhooks with side effects - MUST implement a reconciliation system, since a request may be rejected - by a future step in the admission change and the side effects therefore - need to be undone. Requests with the dryRun attribute will be auto-rejected - if they match a webhook with sideEffects == Unknown or Some.' + description: |- + SideEffects states whether this webhook has side effects. + Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + Webhooks with side effects MUST implement a reconciliation system, since a request may be + rejected by a future step in the admission change and the side effects therefore need to be undone. + Requests with the dryRun attribute will be auto-rejected if they match a webhook with + sideEffects == Unknown or Some. type: string timeoutSeconds: default: 10 - description: TimeoutSeconds specifies the timeout for this webhook. - After the timeout passes, the webhook call will be ignored or the - API call will fail based on the failure policy. The timeout value - must be between 1 and 30 seconds. Default to 10 seconds. + description: |- + TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + the webhook call will be ignored or the API call will fail based on the + failure policy. + The timeout value must be between 1 and 30 seconds. + Default to 10 seconds. format: int32 type: integer required: @@ -277,49 +313,52 @@ spec: and AdmissionPolicy properties: conditions: - description: 'Conditions represent the observed conditions of the + description: |- + Conditions represent the observed conditions of the ClusterAdmissionPolicy resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", "PolicyServerConfigMapReconciled", - "PolicyServerDeploymentReconciled", "PolicyServerServiceReconciled" - and "AdmissionPolicyActive"' + are: "PolicyServerSecretReconciled", + "PolicyServerConfigMapReconciled", + "PolicyServerDeploymentReconciled", + "PolicyServerServiceReconciled" and + "AdmissionPolicyActive" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -333,11 +372,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -353,8 +393,9 @@ spec: - type x-kubernetes-list-type: map mode: - description: PolicyMode represents the observed policy mode of this - policy in the associated PolicyServer configuration + description: |- + PolicyMode represents the observed policy mode of this policy in + the associated PolicyServer configuration enum: - protect - monitor @@ -403,14 +444,19 @@ spec: description: AdmissionPolicy is the Schema for the admissionpolicies API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -418,85 +464,97 @@ spec: description: AdmissionPolicySpec defines the desired state of AdmissionPolicy properties: failurePolicy: - description: FailurePolicy defines how unrecognized errors and timeout - errors from the policy are handled. Allowed values are "Ignore" - or "Fail". * "Ignore" means that an error calling the webhook is - ignored and the API request is allowed to continue. * "Fail" means - that an error calling the webhook causes the admission to fail and - the API request to be rejected. The default behaviour is "Fail" + description: |- + FailurePolicy defines how unrecognized errors and timeout errors from the + policy are handled. Allowed values are "Ignore" or "Fail". + * "Ignore" means that an error calling the webhook is ignored and the API + request is allowed to continue. + * "Fail" means that an error calling the webhook causes the admission to + fail and the API request to be rejected. + The default behaviour is "Fail" type: string matchPolicy: - description: 'matchPolicy defines how the "rules" list is used to - match incoming requests. Allowed values are "Exact" or "Equivalent". -
  • Exact: match a request only if it exactly matches a specified - rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, - and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], - apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 - or extensions/v1beta1 would not be sent to the webhook.
  • - Equivalent: match a request if modifies a resource listed in rules, - even via another API group or version. For example, if deployments - can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], - resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 - would be converted to apps/v1 and sent to the webhook.
- Defaults to "Equivalent"' + description: |- + matchPolicy defines how the "rules" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". +
    +
  • + Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. +
    • +
  • + Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
    • +
+ Defaults to "Equivalent" type: string mode: default: protect - description: Mode defines the execution mode of this policy. Can be - set to either "protect" or "monitor". If it's empty, it is defaulted - to "protect". Transitioning this setting from "monitor" to "protect" - is allowed, but is disallowed to transition from "protect" to "monitor". - To perform this transition, the policy should be recreated in "monitor" - mode instead. + description: |- + Mode defines the execution mode of this policy. Can be set to + either "protect" or "monitor". If it's empty, it is defaulted to + "protect". + Transitioning this setting from "monitor" to "protect" is + allowed, but is disallowed to transition from "protect" to + "monitor". To perform this transition, the policy should be + recreated in "monitor" mode instead. enum: - protect - monitor type: string module: - description: Module is the location of the WASM module to be loaded. - Can be a local file (file://), a remote file served by an HTTP server + description: |- + Module is the location of the WASM module to be loaded. Can be a + local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://). type: string mutating: - description: Mutating indicates whether a policy has the ability to - mutate incoming requests or not. + description: |- + Mutating indicates whether a policy has the ability to mutate + incoming requests or not. type: boolean objectSelector: - description: ObjectSelector decides whether to run the webhook based - on if the object has matching labels. objectSelector is evaluated - against both the oldObject and newObject that would be sent to the - webhook, and is considered to match if either object matches the - selector. A null object (oldObject in the case of create, or newObject - in the case of delete) or an object that cannot have labels (like - a DeploymentRollback or a PodProxyOptions object) is not considered - to match. Use the object selector only if the webhook is opt-in, - because end users may skip the admission webhook by setting the - labels. Default to the empty LabelSelector, which matches everything. + description: |- + ObjectSelector decides whether to run the webhook based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the webhook, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -511,99 +569,117 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic policyServer: default: default description: PolicyServer identifies an existing PolicyServer resource. type: string rules: - description: Rules describes what operations on what resources/subresources - the webhook cares about. The webhook cares about an operation if - it matches _any_ Rule. + description: |- + Rules describes what operations on what resources/subresources the webhook cares about. + The webhook cares about an operation if it matches _any_ Rule. items: - description: RuleWithOperations is a tuple of Operations and Resources. - It is recommended to make sure that all the tuple expansions are - valid. + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of the - slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array x-kubernetes-list-type: atomic apiVersions: - description: APIVersions is the API versions the resources belong - to. '*' is all versions. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array x-kubernetes-list-type: atomic operations: - description: Operations is the operations the admission hook - cares about - CREATE, UPDATE, DELETE, CONNECT or * for all - of those operations and any future admission operations that - are added. If '*' is present, the length of the slice must - be one. Required. + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. items: description: OperationType specifies an operation for a request. type: string type: array x-kubernetes-list-type: atomic resources: - description: "Resources is a list of resources this rule applies - to. \n For example: 'pods' means pods. 'pods/log' means the - log subresource of pods. '*' means all resources, but not - subresources. 'pods/*' means all subresources of pods. '*/scale' - means all scale subresources. '*/*' means all resources and - their subresources. \n If wildcard is present, the validation - rule will ensure resources do not overlap with each other. - \n Depending on the enclosing object, subresources might not - be allowed. Required." + description: |- + Resources is a list of resources this rule applies to. + + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + + Depending on the enclosing object, subresources might not be allowed. + Required. items: type: string type: array x-kubernetes-list-type: atomic scope: - description: scope specifies the scope of this rule. Valid values - are "Cluster", "Namespaced", and "*" "Cluster" means that - only cluster-scoped resources will match this rule. Namespace - API objects are cluster-scoped. "Namespaced" means that only - namespaced resources will match this rule. "*" means that - there are no scope restrictions. Subresources match the scope - of their parent resource. Default is "*". + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". type: string type: object type: array settings: - description: 'Settings is a free-form object that contains the policy - configuration values. x-kubernetes-embedded-resource: false' + description: |- + Settings is a free-form object that contains the policy configuration + values. + x-kubernetes-embedded-resource: false nullable: true type: object x-kubernetes-preserve-unknown-fields: true sideEffects: - description: 'SideEffects states whether this webhook has side effects. - Acceptable values are: None, NoneOnDryRun (webhooks created via - v1beta1 may also specify Some or Unknown). Webhooks with side effects - MUST implement a reconciliation system, since a request may be rejected - by a future step in the admission change and the side effects therefore - need to be undone. Requests with the dryRun attribute will be auto-rejected - if they match a webhook with sideEffects == Unknown or Some.' + description: |- + SideEffects states whether this webhook has side effects. + Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + Webhooks with side effects MUST implement a reconciliation system, since a request may be + rejected by a future step in the admission change and the side effects therefore need to be undone. + Requests with the dryRun attribute will be auto-rejected if they match a webhook with + sideEffects == Unknown or Some. type: string timeoutSeconds: default: 10 - description: TimeoutSeconds specifies the timeout for this webhook. - After the timeout passes, the webhook call will be ignored or the - API call will fail based on the failure policy. The timeout value - must be between 1 and 30 seconds. Default to 10 seconds. + description: |- + TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + the webhook call will be ignored or the API call will fail based on the + failure policy. + The timeout value must be between 1 and 30 seconds. + Default to 10 seconds. format: int32 type: integer required: @@ -616,49 +692,52 @@ spec: and AdmissionPolicy properties: conditions: - description: 'Conditions represent the observed conditions of the + description: |- + Conditions represent the observed conditions of the ClusterAdmissionPolicy resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", "PolicyServerConfigMapReconciled", - "PolicyServerDeploymentReconciled", "PolicyServerServiceReconciled" - and "AdmissionPolicyActive"' + are: "PolicyServerSecretReconciled", + "PolicyServerConfigMapReconciled", + "PolicyServerDeploymentReconciled", + "PolicyServerServiceReconciled" and + "AdmissionPolicyActive" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -672,11 +751,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -692,8 +772,9 @@ spec: - type x-kubernetes-list-type: map mode: - description: PolicyMode represents the observed policy mode of this - policy in the associated PolicyServer configuration + description: |- + PolicyMode represents the observed policy mode of this policy in + the associated PolicyServer configuration enum: - protect - monitor @@ -715,9 +796,3 @@ spec: storage: false subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml b/charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml index fba4ce35..e1e57ed4 100644 --- a/charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml +++ b/charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: clusteradmissionpolicies.policies.kubewarden.io spec: group: policies.kubewarden.io @@ -57,14 +56,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -73,16 +77,17 @@ spec: properties: backgroundAudit: default: true - description: BackgroundAudit indicates whether a policy should be - used or skipped when performing audit checks. If false, the policy - cannot produce meaningful evaluation results during audit checks - and will be skipped. The default is "true". + description: |- + BackgroundAudit indicates whether a policy should be used or skipped when + performing audit checks. If false, the policy cannot produce meaningful + evaluation results during audit checks and will be skipped. + The default is "true". type: boolean contextAwareResources: - description: List of Kubernetes resources the policy is allowed to - access at evaluation time. Access to these resources is done using - the `ServiceAccount` of the PolicyServer the policy is assigned - to. + description: |- + List of Kubernetes resources the policy is allowed to access at evaluation time. + Access to these resources is done using the `ServiceAccount` of the PolicyServer + the policy is assigned to. items: description: ContextAwareResource identifies a Kubernetes resource properties: @@ -99,101 +104,133 @@ spec: type: object type: array failurePolicy: - description: FailurePolicy defines how unrecognized errors and timeout - errors from the policy are handled. Allowed values are "Ignore" - or "Fail". * "Ignore" means that an error calling the webhook is - ignored and the API request is allowed to continue. * "Fail" means - that an error calling the webhook causes the admission to fail and - the API request to be rejected. The default behaviour is "Fail" + description: |- + FailurePolicy defines how unrecognized errors and timeout errors from the + policy are handled. Allowed values are "Ignore" or "Fail". + * "Ignore" means that an error calling the webhook is ignored and the API + request is allowed to continue. + * "Fail" means that an error calling the webhook causes the admission to + fail and the API request to be rejected. + The default behaviour is "Fail" type: string matchPolicy: - description: 'matchPolicy defines how the "rules" list is used to - match incoming requests. Allowed values are "Exact" or "Equivalent". -
  • Exact: match a request only if it exactly matches a specified - rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, - and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], - apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 - or extensions/v1beta1 would not be sent to the webhook.
  • - Equivalent: match a request if modifies a resource listed in rules, - even via another API group or version. For example, if deployments - can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], - resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 - would be converted to apps/v1 and sent to the webhook.
- Defaults to "Equivalent"' + description: |- + matchPolicy defines how the "rules" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". +
    +
  • + Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. +
    • +
  • + Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
    • +
+ Defaults to "Equivalent" type: string mode: default: protect - description: Mode defines the execution mode of this policy. Can be - set to either "protect" or "monitor". If it's empty, it is defaulted - to "protect". Transitioning this setting from "monitor" to "protect" - is allowed, but is disallowed to transition from "protect" to "monitor". - To perform this transition, the policy should be recreated in "monitor" - mode instead. + description: |- + Mode defines the execution mode of this policy. Can be set to + either "protect" or "monitor". If it's empty, it is defaulted to + "protect". + Transitioning this setting from "monitor" to "protect" is + allowed, but is disallowed to transition from "protect" to + "monitor". To perform this transition, the policy should be + recreated in "monitor" mode instead. enum: - protect - monitor type: string module: - description: Module is the location of the WASM module to be loaded. - Can be a local file (file://), a remote file served by an HTTP server + description: |- + Module is the location of the WASM module to be loaded. Can be a + local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible - registry (registry://). If prefix is missing, it will default to - registry:// and use that internally. + registry (registry://). + If prefix is missing, it will default to registry:// and use that + internally. type: string mutating: - description: Mutating indicates whether a policy has the ability to - mutate incoming requests or not. + description: |- + Mutating indicates whether a policy has the ability to mutate + incoming requests or not. type: boolean namespaceSelector: - description: 'NamespaceSelector decides whether to run the webhook - on an object based on whether the namespace for that object matches - the selector. If the object itself is a namespace, the matching - is performed on object.metadata.labels. If the object is another - cluster scoped resource, it never skips the webhook.

- For example, to run the webhook on any objects whose namespace is - not associated with "runlevel" of "0" or "1"; you will set the - selector as follows: 
 "namespaceSelector": \{
   "matchExpressions":
-                  [
     \{
       "key":
-                  "runlevel",
       "operator":
-                  "NotIn",
       "values": [

-                          "0",
         "1"

-                        ]
     \}

-                    ]
 \}
If instead you want to only run the - webhook on any objects whose namespace is associated with the "environment" - of "prod" or "staging"; you will set the selector as follows: 
-                  "namespaceSelector": \{
   "matchExpressions": [

-                      \{
       "key":
-                  "environment",
       "operator":
-                  "In",
       "values": [

-                          "prod",
         "staging"

-                        ]
     \}

-                    ]
 \}
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels - for more examples of label selectors.

Default to the - empty LabelSelector, which matches everything.' + description: |- + NamespaceSelector decides whether to run the webhook on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the webhook. +

+ For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + 
+                  "namespaceSelector": \{

+                    "matchExpressions": [

+                      \{

+                        "key": "runlevel",

+                        "operator": "NotIn",

+                        "values": [

+                          "0",

+                          "1"

+                        ]

+                      \}

+                    ]

+                  \}
+
+ If instead you want to only run the webhook on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + 
+                  "namespaceSelector": \{

+                    "matchExpressions": [

+                      \{

+                        "key": "environment",

+                        "operator": "In",

+                        "values": [

+                          "prod",

+                          "staging"

+                        ]

+                      \}

+                    ]

+                  \}
+
+ See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + for more examples of label selectors. +

+ Default to the empty LabelSelector, which matches everything. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -208,47 +245,49 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic objectSelector: - description: ObjectSelector decides whether to run the webhook based - on if the object has matching labels. objectSelector is evaluated - against both the oldObject and newObject that would be sent to the - webhook, and is considered to match if either object matches the - selector. A null object (oldObject in the case of create, or newObject - in the case of delete) or an object that cannot have labels (like - a DeploymentRollback or a PodProxyOptions object) is not considered - to match. Use the object selector only if the webhook is opt-in, - because end users may skip the admission webhook by setting the - labels. Default to the empty LabelSelector, which matches everything. + description: |- + ObjectSelector decides whether to run the webhook based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the webhook, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -263,99 +302,117 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic policyServer: default: default description: PolicyServer identifies an existing PolicyServer resource. type: string rules: - description: Rules describes what operations on what resources/subresources - the webhook cares about. The webhook cares about an operation if - it matches _any_ Rule. + description: |- + Rules describes what operations on what resources/subresources the webhook cares about. + The webhook cares about an operation if it matches _any_ Rule. items: - description: RuleWithOperations is a tuple of Operations and Resources. - It is recommended to make sure that all the tuple expansions are - valid. + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of the - slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array x-kubernetes-list-type: atomic apiVersions: - description: APIVersions is the API versions the resources belong - to. '*' is all versions. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array x-kubernetes-list-type: atomic operations: - description: Operations is the operations the admission hook - cares about - CREATE, UPDATE, DELETE, CONNECT or * for all - of those operations and any future admission operations that - are added. If '*' is present, the length of the slice must - be one. Required. + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. items: description: OperationType specifies an operation for a request. type: string type: array x-kubernetes-list-type: atomic resources: - description: "Resources is a list of resources this rule applies - to. \n For example: 'pods' means pods. 'pods/log' means the - log subresource of pods. '*' means all resources, but not - subresources. 'pods/*' means all subresources of pods. '*/scale' - means all scale subresources. '*/*' means all resources and - their subresources. \n If wildcard is present, the validation - rule will ensure resources do not overlap with each other. - \n Depending on the enclosing object, subresources might not - be allowed. Required." + description: |- + Resources is a list of resources this rule applies to. + + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + + Depending on the enclosing object, subresources might not be allowed. + Required. items: type: string type: array x-kubernetes-list-type: atomic scope: - description: scope specifies the scope of this rule. Valid values - are "Cluster", "Namespaced", and "*" "Cluster" means that - only cluster-scoped resources will match this rule. Namespace - API objects are cluster-scoped. "Namespaced" means that only - namespaced resources will match this rule. "*" means that - there are no scope restrictions. Subresources match the scope - of their parent resource. Default is "*". + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". type: string type: object type: array settings: - description: 'Settings is a free-form object that contains the policy - configuration values. x-kubernetes-embedded-resource: false' + description: |- + Settings is a free-form object that contains the policy configuration + values. + x-kubernetes-embedded-resource: false nullable: true type: object x-kubernetes-preserve-unknown-fields: true sideEffects: - description: 'SideEffects states whether this webhook has side effects. - Acceptable values are: None, NoneOnDryRun (webhooks created via - v1beta1 may also specify Some or Unknown). Webhooks with side effects - MUST implement a reconciliation system, since a request may be rejected - by a future step in the admission change and the side effects therefore - need to be undone. Requests with the dryRun attribute will be auto-rejected - if they match a webhook with sideEffects == Unknown or Some.' + description: |- + SideEffects states whether this webhook has side effects. + Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + Webhooks with side effects MUST implement a reconciliation system, since a request may be + rejected by a future step in the admission change and the side effects therefore need to be undone. + Requests with the dryRun attribute will be auto-rejected if they match a webhook with + sideEffects == Unknown or Some. type: string timeoutSeconds: default: 10 - description: TimeoutSeconds specifies the timeout for this webhook. - After the timeout passes, the webhook call will be ignored or the - API call will fail based on the failure policy. The timeout value - must be between 1 and 30 seconds. Default to 10 seconds. + description: |- + TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + the webhook call will be ignored or the API call will fail based on the + failure policy. + The timeout value must be between 1 and 30 seconds. + Default to 10 seconds. format: int32 type: integer required: @@ -368,49 +425,52 @@ spec: and AdmissionPolicy properties: conditions: - description: 'Conditions represent the observed conditions of the + description: |- + Conditions represent the observed conditions of the ClusterAdmissionPolicy resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", "PolicyServerConfigMapReconciled", - "PolicyServerDeploymentReconciled", "PolicyServerServiceReconciled" - and "AdmissionPolicyActive"' + are: "PolicyServerSecretReconciled", + "PolicyServerConfigMapReconciled", + "PolicyServerDeploymentReconciled", + "PolicyServerServiceReconciled" and + "AdmissionPolicyActive" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -424,11 +484,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -444,8 +505,9 @@ spec: - type x-kubernetes-list-type: map mode: - description: PolicyMode represents the observed policy mode of this - policy in the associated PolicyServer configuration + description: |- + PolicyMode represents the observed policy mode of this policy in + the associated PolicyServer configuration enum: - protect - monitor @@ -495,14 +557,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -510,100 +577,131 @@ spec: description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy properties: failurePolicy: - description: FailurePolicy defines how unrecognized errors and timeout - errors from the policy are handled. Allowed values are "Ignore" - or "Fail". * "Ignore" means that an error calling the webhook is - ignored and the API request is allowed to continue. * "Fail" means - that an error calling the webhook causes the admission to fail and - the API request to be rejected. The default behaviour is "Fail" + description: |- + FailurePolicy defines how unrecognized errors and timeout errors from the + policy are handled. Allowed values are "Ignore" or "Fail". + * "Ignore" means that an error calling the webhook is ignored and the API + request is allowed to continue. + * "Fail" means that an error calling the webhook causes the admission to + fail and the API request to be rejected. + The default behaviour is "Fail" type: string matchPolicy: - description: 'matchPolicy defines how the "rules" list is used to - match incoming requests. Allowed values are "Exact" or "Equivalent". -
  • Exact: match a request only if it exactly matches a specified - rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, - and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], - apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 - or extensions/v1beta1 would not be sent to the webhook.
  • - Equivalent: match a request if modifies a resource listed in rules, - even via another API group or version. For example, if deployments - can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], - resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 - would be converted to apps/v1 and sent to the webhook.
- Defaults to "Equivalent"' + description: |- + matchPolicy defines how the "rules" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". +
    +
  • + Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. +
    • +
  • + Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
    • +
+ Defaults to "Equivalent" type: string mode: default: protect - description: Mode defines the execution mode of this policy. Can be - set to either "protect" or "monitor". If it's empty, it is defaulted - to "protect". Transitioning this setting from "monitor" to "protect" - is allowed, but is disallowed to transition from "protect" to "monitor". - To perform this transition, the policy should be recreated in "monitor" - mode instead. + description: |- + Mode defines the execution mode of this policy. Can be set to + either "protect" or "monitor". If it's empty, it is defaulted to + "protect". + Transitioning this setting from "monitor" to "protect" is + allowed, but is disallowed to transition from "protect" to + "monitor". To perform this transition, the policy should be + recreated in "monitor" mode instead. enum: - protect - monitor type: string module: - description: Module is the location of the WASM module to be loaded. - Can be a local file (file://), a remote file served by an HTTP server + description: |- + Module is the location of the WASM module to be loaded. Can be a + local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://). type: string mutating: - description: Mutating indicates whether a policy has the ability to - mutate incoming requests or not. + description: |- + Mutating indicates whether a policy has the ability to mutate + incoming requests or not. type: boolean namespaceSelector: - description: 'NamespaceSelector decides whether to run the webhook - on an object based on whether the namespace for that object matches - the selector. If the object itself is a namespace, the matching - is performed on object.metadata.labels. If the object is another - cluster scoped resource, it never skips the webhook.

- For example, to run the webhook on any objects whose namespace is - not associated with "runlevel" of "0" or "1"; you will set the - selector as follows: 
 "namespaceSelector": \{
   "matchExpressions":
-                  [
     \{
       "key":
-                  "runlevel",
       "operator":
-                  "NotIn",
       "values": [

-                          "0",
         "1"

-                        ]
     \}

-                    ]
 \}
If instead you want to only run the - webhook on any objects whose namespace is associated with the "environment" - of "prod" or "staging"; you will set the selector as follows: 
-                  "namespaceSelector": \{
   "matchExpressions": [

-                      \{
       "key":
-                  "environment",
       "operator":
-                  "In",
       "values": [

-                          "prod",
         "staging"

-                        ]
     \}

-                    ]
 \}
See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels - for more examples of label selectors.

Default to the - empty LabelSelector, which matches everything.' + description: |- + NamespaceSelector decides whether to run the webhook on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the webhook. +

+ For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + 
+                  "namespaceSelector": \{

+                    "matchExpressions": [

+                      \{

+                        "key": "runlevel",

+                        "operator": "NotIn",

+                        "values": [

+                          "0",

+                          "1"

+                        ]

+                      \}

+                    ]

+                  \}
+
+ If instead you want to only run the webhook on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + 
+                  "namespaceSelector": \{

+                    "matchExpressions": [

+                      \{

+                        "key": "environment",

+                        "operator": "In",

+                        "values": [

+                          "prod",

+                          "staging"

+                        ]

+                      \}

+                    ]

+                  \}
+
+ See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + for more examples of label selectors. +

+ Default to the empty LabelSelector, which matches everything. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -618,47 +716,49 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic objectSelector: - description: ObjectSelector decides whether to run the webhook based - on if the object has matching labels. objectSelector is evaluated - against both the oldObject and newObject that would be sent to the - webhook, and is considered to match if either object matches the - selector. A null object (oldObject in the case of create, or newObject - in the case of delete) or an object that cannot have labels (like - a DeploymentRollback or a PodProxyOptions object) is not considered - to match. Use the object selector only if the webhook is opt-in, - because end users may skip the admission webhook by setting the - labels. Default to the empty LabelSelector, which matches everything. + description: |- + ObjectSelector decides whether to run the webhook based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the webhook, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -673,99 +773,117 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic policyServer: default: default description: PolicyServer identifies an existing PolicyServer resource. type: string rules: - description: Rules describes what operations on what resources/subresources - the webhook cares about. The webhook cares about an operation if - it matches _any_ Rule. + description: |- + Rules describes what operations on what resources/subresources the webhook cares about. + The webhook cares about an operation if it matches _any_ Rule. items: - description: RuleWithOperations is a tuple of Operations and Resources. - It is recommended to make sure that all the tuple expansions are - valid. + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of the - slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array x-kubernetes-list-type: atomic apiVersions: - description: APIVersions is the API versions the resources belong - to. '*' is all versions. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array x-kubernetes-list-type: atomic operations: - description: Operations is the operations the admission hook - cares about - CREATE, UPDATE, DELETE, CONNECT or * for all - of those operations and any future admission operations that - are added. If '*' is present, the length of the slice must - be one. Required. + description: |- + Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. items: description: OperationType specifies an operation for a request. type: string type: array x-kubernetes-list-type: atomic resources: - description: "Resources is a list of resources this rule applies - to. \n For example: 'pods' means pods. 'pods/log' means the - log subresource of pods. '*' means all resources, but not - subresources. 'pods/*' means all subresources of pods. '*/scale' - means all scale subresources. '*/*' means all resources and - their subresources. \n If wildcard is present, the validation - rule will ensure resources do not overlap with each other. - \n Depending on the enclosing object, subresources might not - be allowed. Required." + description: |- + Resources is a list of resources this rule applies to. + + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + + Depending on the enclosing object, subresources might not be allowed. + Required. items: type: string type: array x-kubernetes-list-type: atomic scope: - description: scope specifies the scope of this rule. Valid values - are "Cluster", "Namespaced", and "*" "Cluster" means that - only cluster-scoped resources will match this rule. Namespace - API objects are cluster-scoped. "Namespaced" means that only - namespaced resources will match this rule. "*" means that - there are no scope restrictions. Subresources match the scope - of their parent resource. Default is "*". + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". type: string type: object type: array settings: - description: 'Settings is a free-form object that contains the policy - configuration values. x-kubernetes-embedded-resource: false' + description: |- + Settings is a free-form object that contains the policy configuration + values. + x-kubernetes-embedded-resource: false nullable: true type: object x-kubernetes-preserve-unknown-fields: true sideEffects: - description: 'SideEffects states whether this webhook has side effects. - Acceptable values are: None, NoneOnDryRun (webhooks created via - v1beta1 may also specify Some or Unknown). Webhooks with side effects - MUST implement a reconciliation system, since a request may be rejected - by a future step in the admission change and the side effects therefore - need to be undone. Requests with the dryRun attribute will be auto-rejected - if they match a webhook with sideEffects == Unknown or Some.' + description: |- + SideEffects states whether this webhook has side effects. + Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + Webhooks with side effects MUST implement a reconciliation system, since a request may be + rejected by a future step in the admission change and the side effects therefore need to be undone. + Requests with the dryRun attribute will be auto-rejected if they match a webhook with + sideEffects == Unknown or Some. type: string timeoutSeconds: default: 10 - description: TimeoutSeconds specifies the timeout for this webhook. - After the timeout passes, the webhook call will be ignored or the - API call will fail based on the failure policy. The timeout value - must be between 1 and 30 seconds. Default to 10 seconds. + description: |- + TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + the webhook call will be ignored or the API call will fail based on the + failure policy. + The timeout value must be between 1 and 30 seconds. + Default to 10 seconds. format: int32 type: integer required: @@ -778,49 +896,52 @@ spec: and AdmissionPolicy properties: conditions: - description: 'Conditions represent the observed conditions of the + description: |- + Conditions represent the observed conditions of the ClusterAdmissionPolicy resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", "PolicyServerConfigMapReconciled", - "PolicyServerDeploymentReconciled", "PolicyServerServiceReconciled" - and "AdmissionPolicyActive"' + are: "PolicyServerSecretReconciled", + "PolicyServerConfigMapReconciled", + "PolicyServerDeploymentReconciled", + "PolicyServerServiceReconciled" and + "AdmissionPolicyActive" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -834,11 +955,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -854,8 +976,9 @@ spec: - type x-kubernetes-list-type: map mode: - description: PolicyMode represents the observed policy mode of this - policy in the associated PolicyServer configuration + description: |- + PolicyMode represents the observed policy mode of this policy in + the associated PolicyServer configuration enum: - protect - monitor @@ -877,9 +1000,3 @@ spec: storage: false subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/kubewarden-crds/templates/policyservers.yaml b/charts/kubewarden-crds/templates/policyservers.yaml index 4a2e4e1b..5c672ac7 100644 --- a/charts/kubewarden-crds/templates/policyservers.yaml +++ b/charts/kubewarden-crds/templates/policyservers.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: policyservers.policies.kubewarden.io spec: group: policies.kubewarden.io @@ -29,14 +28,19 @@ spec: description: PolicyServer is the Schema for the policyservers API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,22 +55,20 @@ spec: pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to - nodes that satisfy the affinity expressions specified by - this field, but it may choose a node that violates one or - more of the expressions. The node that is most preferred - is the one with the greatest sum of weights, i.e. for each - node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements of - this field and adding "weight" to the sum if the node matches - the corresponding matchExpressions; the node(s) with the - highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects (i.e. - is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with the @@ -76,30 +78,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -114,30 +112,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -149,6 +143,7 @@ spec: type: array x-kubernetes-list-type: atomic type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. @@ -161,50 +156,46 @@ spec: type: array x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this - field are not met at scheduling time, the pod will not be - scheduled onto the node. If the affinity requirements specified - by this field cease to be met at some point during pod execution - (e.g. due to an update), the system may or may not try to - eventually evict the pod from its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term matches - no objects. The requirements of them are ANDed. The - TopologySelectorTerm type implements a subset of the - NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -219,30 +210,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists, DoesNotExist. Gt, and - Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. If - the operator is In or NotIn, the values - array must be non-empty. If the operator - is Exists or DoesNotExist, the values array - must be empty. If the operator is Gt or - Lt, the values array must have a single - element, which will be interpreted as an - integer. This array is replaced during a - strategic merge patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -254,27 +241,28 @@ spec: type: array x-kubernetes-list-type: atomic type: object + x-kubernetes-map-type: atomic type: array x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to - nodes that satisfy the affinity expressions specified by - this field, but it may choose a node that violates one or - more of the expressions. The node that is most preferred - is the one with the greatest sum of weights, i.e. for each - node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements of - this field and adding "weight" to the sum if the node has - pods which matches the corresponding podAffinityTerm; the + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm @@ -285,37 +273,33 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. If it's null, this PodAffinityTerm - matches with no Pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -330,88 +314,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic matchLabelKeys: - description: MatchLabelKeys is a set of pod label - keys to select which pods will be taken into consideration. - The keys are used to lookup values from the incoming - pod labels, those key-value labels are merged - with `labelSelector` as `key in (value)` to select - the group of existing pods which pods will be - taken into consideration for the incoming pod's - pod (anti) affinity. Keys that don't exist in - the incoming pod labels will be ignored. The default - value is empty. The same key is forbidden to exist - in both matchLabelKeys and labelSelector. Also, - matchLabelKeys cannot be set when labelSelector - isn't set. This is an alpha field and requires - enabling MatchLabelKeysInPodAffinity feature gate. + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label - keys to select which pods will be taken into consideration. - The keys are used to lookup values from the incoming - pod labels, those key-value labels are merged - with `labelSelector` as `key notin (value)` to - select the group of existing pods which pods will - be taken into consideration for the incoming pod's - pod (anti) affinity. Keys that don't exist in - the incoming pod labels will be ignored. The default - value is empty. The same key is forbidden to exist - in both mismatchLabelKeys and labelSelector. Also, - mismatchLabelKeys cannot be set when labelSelector - isn't set. This is an alpha field and requires - enabling MatchLabelKeysInPodAffinity feature gate. + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -426,40 +396,38 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array x-kubernetes-list-type: atomic topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the corresponding - podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -469,53 +437,51 @@ spec: type: array x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this - field are not met at scheduling time, the pod will not be - scheduled onto the node. If the affinity requirements specified - by this field cease to be met at some point during pod execution - (e.g. due to a pod label update), the system may or may - not try to eventually evict the pod from its node. When - there are multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. all terms - must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not co-located - (anti-affinity) with, where co-located is defined as running - on a node whose value of the label with key - matches that of any node on which a pod of the set of - pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. If it's null, this PodAffinityTerm - matches with no Pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -529,83 +495,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys - to select which pods will be taken into consideration. - The keys are used to lookup values from the incoming - pod labels, those key-value labels are merged with - `labelSelector` as `key in (value)` to select the - group of existing pods which pods will be taken into - consideration for the incoming pod's pod (anti) affinity. - Keys that don't exist in the incoming pod labels will - be ignored. The default value is empty. The same key - is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector - isn't set. This is an alpha field and requires enabling - MatchLabelKeysInPodAffinity feature gate. + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label - keys to select which pods will be taken into consideration. - The keys are used to lookup values from the incoming - pod labels, those key-value labels are merged with - `labelSelector` as `key notin (value)` to select the - group of existing pods which pods will be taken into - consideration for the incoming pod's pod (anti) affinity. - Keys that don't exist in the incoming pod labels will - be ignored. The default value is empty. The same key - is forbidden to exist in both mismatchLabelKeys and - labelSelector. Also, mismatchLabelKeys cannot be set - when labelSelector isn't set. This is an alpha field - and requires enabling MatchLabelKeysInPodAffinity - feature gate. + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied to the - union of the namespaces selected by this field and - the ones listed in the namespaces field. null selector - and null or empty namespaces list means "this pod's - namespace". An empty selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -619,32 +576,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace - names that the term applies to. The term is applied - to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. null or - empty namespaces list and null namespaceSelector means - "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array x-kubernetes-list-type: atomic topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where - co-located is defined as running on a node whose value - of the label with key topologyKey matches that of - any node on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: @@ -659,16 +613,15 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to - nodes that satisfy the anti-affinity expressions specified - by this field, but it may choose a node that violates one - or more of the expressions. The node that is most preferred - is the one with the greatest sum of weights, i.e. for each - node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, - etc.), compute a sum by iterating through the elements of - this field and adding "weight" to the sum if the node has - pods which matches the corresponding podAffinityTerm; the + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm @@ -679,37 +632,33 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. If it's null, this PodAffinityTerm - matches with no Pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -724,88 +673,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic matchLabelKeys: - description: MatchLabelKeys is a set of pod label - keys to select which pods will be taken into consideration. - The keys are used to lookup values from the incoming - pod labels, those key-value labels are merged - with `labelSelector` as `key in (value)` to select - the group of existing pods which pods will be - taken into consideration for the incoming pod's - pod (anti) affinity. Keys that don't exist in - the incoming pod labels will be ignored. The default - value is empty. The same key is forbidden to exist - in both matchLabelKeys and labelSelector. Also, - matchLabelKeys cannot be set when labelSelector - isn't set. This is an alpha field and requires - enabling MatchLabelKeysInPodAffinity feature gate. + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label - keys to select which pods will be taken into consideration. - The keys are used to lookup values from the incoming - pod labels, those key-value labels are merged - with `labelSelector` as `key notin (value)` to - select the group of existing pods which pods will - be taken into consideration for the incoming pod's - pod (anti) affinity. Keys that don't exist in - the incoming pod labels will be ignored. The default - value is empty. The same key is forbidden to exist - in both mismatchLabelKeys and labelSelector. Also, - mismatchLabelKeys cannot be set when labelSelector - isn't set. This is an alpha field and requires - enabling MatchLabelKeysInPodAffinity feature gate. + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -820,40 +755,38 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array x-kubernetes-list-type: atomic topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the corresponding - podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -863,53 +796,51 @@ spec: type: array x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the anti-affinity requirements - specified by this field cease to be met at some point during - pod execution (e.g. due to a pod label update), the system - may or may not try to eventually evict the pod from its - node. When there are multiple elements, the lists of nodes - corresponding to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not co-located - (anti-affinity) with, where co-located is defined as running - on a node whose value of the label with key - matches that of any node on which a pod of the set of - pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. If it's null, this PodAffinityTerm - matches with no Pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -923,83 +854,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys - to select which pods will be taken into consideration. - The keys are used to lookup values from the incoming - pod labels, those key-value labels are merged with - `labelSelector` as `key in (value)` to select the - group of existing pods which pods will be taken into - consideration for the incoming pod's pod (anti) affinity. - Keys that don't exist in the incoming pod labels will - be ignored. The default value is empty. The same key - is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector - isn't set. This is an alpha field and requires enabling - MatchLabelKeysInPodAffinity feature gate. + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: - description: MismatchLabelKeys is a set of pod label - keys to select which pods will be taken into consideration. - The keys are used to lookup values from the incoming - pod labels, those key-value labels are merged with - `labelSelector` as `key notin (value)` to select the - group of existing pods which pods will be taken into - consideration for the incoming pod's pod (anti) affinity. - Keys that don't exist in the incoming pod labels will - be ignored. The default value is empty. The same key - is forbidden to exist in both mismatchLabelKeys and - labelSelector. Also, mismatchLabelKeys cannot be set - when labelSelector isn't set. This is an alpha field - and requires enabling MatchLabelKeysInPodAffinity - feature gate. + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied to the - union of the namespaces selected by this field and - the ones listed in the namespaces field. null selector - and null or empty namespaces list means "this pod's - namespace". An empty selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1013,32 +935,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace - names that the term applies to. The term is applied - to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. null or - empty namespaces list and null namespaceSelector means - "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array x-kubernetes-list-type: atomic topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where - co-located is defined as running on a node whose value - of the label with key topologyKey matches that of - any node on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: @@ -1051,10 +970,11 @@ spec: annotations: additionalProperties: type: string - description: 'Annotations is an unstructured key value map stored - with a resource that may be set by external tools to store and retrieve - arbitrary metadata. They are not queryable and should be preserved - when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: http://kubernetes.io/docs/user-guide/annotations type: object env: description: List of environment variables to set in the container. @@ -1066,15 +986,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using - the previously defined environment variables in the container - and any service environment variables. If a variable cannot - be resolved, the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the - string literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists or - not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot @@ -1087,8 +1008,15 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its key @@ -1097,11 +1025,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, - status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is @@ -1114,11 +1042,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, @@ -1138,6 +1066,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -1146,8 +1075,15 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must @@ -1156,6 +1092,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -1165,14 +1102,16 @@ spec: description: Docker image name. type: string imagePullSecret: - description: Name of ImagePullSecret secret in the same namespace, - used for pulling policies from repositories. + description: |- + Name of ImagePullSecret secret in the same namespace, used for pulling + policies from repositories. type: string insecureSources: - description: List of insecure URIs to policy repositories. The `insecureSources` + description: |- + List of insecure URIs to policy repositories. The `insecureSources` content format corresponds with the contents of the `insecure_sources` - key in `sources.yaml`. Reference for `sources.yaml` is found in - the Kubewarden documentation in the reference section. + key in `sources.yaml`. Reference for `sources.yaml` is found in the + Kubewarden documentation in the reference section. items: type: string type: array @@ -1190,17 +1129,19 @@ spec: anyOf: - type: integer - type: string - description: Number of policy server replicas that can be unavailable - after the eviction. The value can be an absolute number or a percentage. - Only one of MinAvailable or Max MaxUnavailable can be set. + description: |- + Number of policy server replicas that can be unavailable after the + eviction. The value can be an absolute number or a percentage. Only one of + MinAvailable or Max MaxUnavailable can be set. x-kubernetes-int-or-string: true minAvailable: anyOf: - type: integer - type: string - description: Number of policy server replicas that must be still available - after the eviction. The value can be an absolute number or a percentage. - Only one of MinAvailable or Max MaxUnavailable can be set. + description: |- + Number of policy server replicas that must be still available after the + eviction. The value can be an absolute number or a percentage. Only one of + MinAvailable or Max MaxUnavailable can be set. x-kubernetes-int-or-string: true replicas: description: Replicas is the number of desired replicas. @@ -1213,59 +1154,61 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: Requests describes the minimum amount of compute resources - required. If Request is omitted for, it defaults to Limits if that - is explicitly specified, otherwise to an implementation-defined - value + description: |- + Requests describes the minimum amount of compute resources required. + If Request is omitted for, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value type: object securityContexts: - description: Security configuration to be used in the Policy Server - workload. The field allows different configurations for the pod - and containers. If set for the containers, this configuration will - not be used in containers added by other controllers (e.g. telemetry - sidecars) + description: |- + Security configuration to be used in the Policy Server workload. + The field allows different configurations for the pod and containers. + If set for the containers, this configuration will not be used in + containers added by other controllers (e.g. telemetry sidecars) properties: container: description: securityContext definition to be used in the policy server container properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether a - process can gain more privileges than its parent process. - This bool directly controls if the no_new_privs flag will - be set on the container process. AllowPrivilegeEscalation - is true always when the container is: 1) run as Privileged - 2) has CAP_SYS_ADMIN Note that this field cannot be set - when spec.os.name is windows.' + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. type: boolean appArmorProfile: - description: appArmorProfile is the AppArmor options to use - by this container. If set, this profile overrides the pod's - appArmorProfile. Note that this field cannot be set when - spec.os.name is windows. + description: |- + appArmorProfile is the AppArmor options to use by this container. If set, this profile + overrides the pod's appArmorProfile. + Note that this field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile loaded - on the node that should be used. The profile must be - preconfigured on the node to work. Must match the loaded - name of the profile. Must be set if and only if type - is "Localhost". + description: |- + localhostProfile indicates a profile loaded on the node that should be used. + The profile must be preconfigured on the node to work. + Must match the loaded name of the profile. + Must be set if and only if type is "Localhost". type: string type: - description: 'type indicates which kind of AppArmor profile - will be applied. Valid options are: Localhost - a profile - pre-loaded on the node. RuntimeDefault - the container - runtime''s default profile. Unconfined - no AppArmor - enforcement.' + description: |- + type indicates which kind of AppArmor profile will be applied. + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. type: string required: - type type: object capabilities: - description: The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the - container runtime. Note that this field cannot be set when - spec.os.name is windows. + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -1285,59 +1228,60 @@ spec: x-kubernetes-list-type: atomic type: object privileged: - description: Run container in privileged mode. Processes in - privileged containers are essentially equivalent to root - on the host. Defaults to false. Note that this field cannot - be set when spec.os.name is windows. + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. type: boolean procMount: - description: procMount denotes the type of proc mount to use - for the containers. The default is DefaultProcMount which - uses the container runtime defaults for readonly paths and - masked paths. This requires the ProcMountType feature flag - to be enabled. Note that this field cannot be set when spec.os.name - is windows. + description: |- + procMount denotes the type of proc mount to use for the containers. + The default is DefaultProcMount which uses the container runtime defaults for + readonly paths and masked paths. + This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. - Default is false. Note that this field cannot be set when - spec.os.name is windows. + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be set - in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set when - spec.os.name is windows. + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run as a non-root - user. If true, the Kubelet will validate the image at runtime - to ensure that it does not run as UID 0 (root) and fail - to start the container if it does. If unset or false, no - such validation will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata if - unspecified. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. Note - that this field cannot be set when spec.os.name is windows. + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random - SELinux context for each container. May also be set in - PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set when - spec.os.name is windows. + description: |- + The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. properties: level: description: Level is SELinux level label that applies @@ -1357,63 +1301,62 @@ spec: type: string type: object seccompProfile: - description: The seccomp options to use by this container. - If seccomp options are provided at both the pod & container - level, the container options override the pod options. Note - that this field cannot be set when spec.os.name is windows. + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile defined - in a file on the node should be used. The profile must - be preconfigured on the node to work. Must be a descending - path, relative to the kubelet's configured seccomp profile - location. Must be set if type is "Localhost". Must NOT - be set for any other type. + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. type: string type: - description: "type indicates which kind of seccomp profile - will be applied. Valid options are: \n Localhost - a - profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile - should be used. Unconfined - no profile should be applied." + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. type: string required: - type type: object windowsOptions: - description: The Windows specific settings applied to all - containers. If unspecified, the options from the PodSecurityContext - will be used. If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is - linux. + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission - webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec named - by the GMSACredentialSpecName field. + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: description: GMSACredentialSpecName is the name of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container should - be run as a 'Host Process' container. All of a Pod's - containers must have the same effective HostProcess - value (it is not allowed to have a mix of HostProcess - containers and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must also be - set to true. + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run the entrypoint - of the container process. Defaults to the user specified - in image metadata if unspecified. May also be set in - PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext - takes precedence. + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. type: string type: object type: object @@ -1422,85 +1365,91 @@ spec: server Pod properties: appArmorProfile: - description: appArmorProfile is the AppArmor options to use - by the containers in this pod. Note that this field cannot - be set when spec.os.name is windows. + description: |- + appArmorProfile is the AppArmor options to use by the containers in this pod. + Note that this field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile loaded - on the node that should be used. The profile must be - preconfigured on the node to work. Must match the loaded - name of the profile. Must be set if and only if type - is "Localhost". + description: |- + localhostProfile indicates a profile loaded on the node that should be used. + The profile must be preconfigured on the node to work. + Must match the loaded name of the profile. + Must be set if and only if type is "Localhost". type: string type: - description: 'type indicates which kind of AppArmor profile - will be applied. Valid options are: Localhost - a profile - pre-loaded on the node. RuntimeDefault - the container - runtime''s default profile. Unconfined - no AppArmor - enforcement.' + description: |- + type indicates which kind of AppArmor profile will be applied. + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. type: string required: - type type: object fsGroup: - description: "A special supplemental group that applies to - all containers in a pod. Some volume types allow the Kubelet - to change the ownership of that volume to be owned by the - pod: \n 1. The owning GID will be the FSGroup 2. The setgid - bit is set (new files created in the volume will be owned - by FSGroup) 3. The permission bits are OR'd with rw-rw---- - \n If unset, the Kubelet will not modify the ownership and - permissions of any volume. Note that this field cannot be - set when spec.os.name is windows." + description: |- + A special supplemental group that applies to all containers in a pod. + Some volume types allow the Kubelet to change the ownership of that volume + to be owned by the pod: + + + 1. The owning GID will be the FSGroup + 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) + 3. The permission bits are OR'd with rw-rw---- + + + If unset, the Kubelet will not modify the ownership and permissions of any volume. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer fsGroupChangePolicy: - description: 'fsGroupChangePolicy defines behavior of changing - ownership and permission of the volume before being exposed - inside Pod. This field will only apply to volume types which - support fsGroup based ownership(and permissions). It will - have no effect on ephemeral volume types such as: secret, - configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified, "Always" is used. Note that - this field cannot be set when spec.os.name is windows.' + description: |- + fsGroupChangePolicy defines behavior of changing ownership and permission of the volume + before being exposed inside Pod. This field will only apply to + volume types which support fsGroup based ownership(and permissions). + It will have no effect on ephemeral volume types such as: secret, configmaps + and emptydir. + Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + Note that this field cannot be set when spec.os.name is windows. type: string runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be set - in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. Note that this field - cannot be set when spec.os.name is windows. + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run as a non-root - user. If true, the Kubelet will validate the image at runtime - to ensure that it does not run as UID 0 (root) and fail - to start the container if it does. If unset or false, no - such validation will be performed. May also be set in SecurityContext. If - set in both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata if - unspecified. May also be set in SecurityContext. If set - in both SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence for that container. - Note that this field cannot be set when spec.os.name is - windows. + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random - SELinux context for each container. May also be set in - SecurityContext. If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence - for that container. Note that this field cannot be set when - spec.os.name is windows. + description: |- + The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. + Note that this field cannot be set when spec.os.name is windows. properties: level: description: Level is SELinux level label that applies @@ -1520,48 +1469,49 @@ spec: type: string type: object seccompProfile: - description: The seccomp options to use by the containers - in this pod. Note that this field cannot be set when spec.os.name - is windows. + description: |- + The seccomp options to use by the containers in this pod. + Note that this field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile defined - in a file on the node should be used. The profile must - be preconfigured on the node to work. Must be a descending - path, relative to the kubelet's configured seccomp profile - location. Must be set if type is "Localhost". Must NOT - be set for any other type. + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. type: string type: - description: "type indicates which kind of seccomp profile - will be applied. Valid options are: \n Localhost - a - profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile - should be used. Unconfined - no profile should be applied." + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. type: string required: - type type: object supplementalGroups: - description: A list of groups applied to the first process - run in each container, in addition to the container's primary - GID, the fsGroup (if specified), and group memberships defined - in the container image for the uid of the container process. - If unspecified, no additional groups are added to any container. - Note that group memberships defined in the container image - for the uid of the container process are still effective, - even if they are not included in this list. Note that this - field cannot be set when spec.os.name is windows. + description: |- + A list of groups applied to the first process run in each container, in addition + to the container's primary GID, the fsGroup (if specified), and group memberships + defined in the container image for the uid of the container process. If unspecified, + no additional groups are added to any container. Note that group memberships + defined in the container image for the uid of the container process are still effective, + even if they are not included in this list. + Note that this field cannot be set when spec.os.name is windows. items: format: int64 type: integer type: array x-kubernetes-list-type: atomic sysctls: - description: Sysctls hold a list of namespaced sysctls used - for the pod. Pods with unsupported sysctls (by the container - runtime) might fail to launch. Note that this field cannot - be set when spec.os.name is windows. + description: |- + Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name is windows. items: description: Sysctl defines a kernel parameter to be set properties: @@ -1578,63 +1528,62 @@ spec: type: array x-kubernetes-list-type: atomic windowsOptions: - description: The Windows specific settings applied to all - containers. If unspecified, the options within a container's - SecurityContext will be used. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. Note that this field cannot be set when - spec.os.name is linux. + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission - webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec named - by the GMSACredentialSpecName field. + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: description: GMSACredentialSpecName is the name of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container should - be run as a 'Host Process' container. All of a Pod's - containers must have the same effective HostProcess - value (it is not allowed to have a mix of HostProcess - containers and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must also be - set to true. + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run the entrypoint - of the container process. Defaults to the user specified - in image metadata if unspecified. May also be set in - PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext - takes precedence. + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. type: string type: object type: object type: object serviceAccountName: - description: Name of the service account associated with the policy - server. Namespace service account will be used if not specified. + description: |- + Name of the service account associated with the policy server. + Namespace service account will be used if not specified. type: string sourceAuthorities: additionalProperties: items: type: string type: array - description: Key value map of registry URIs endpoints to a list of - their associated PEM encoded certificate authorities that have to - be used to verify the certificate used by the endpoint. The `sourceAuthorities` - content format corresponds with the contents of the `source_authorities` - key in `sources.yaml`. Reference for `sources.yaml` is found in - the Kubewarden documentation in the reference section. + description: |- + Key value map of registry URIs endpoints to a list of their associated + PEM encoded certificate authorities that have to be used to verify the + certificate used by the endpoint. The `sourceAuthorities` content format + corresponds with the contents of the `source_authorities` key in + `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden + documentation in the reference section. type: object verificationConfig: - description: Name of VerificationConfig configmap in the same namespace, - containing Sigstore verification configuration. The configuration - must be under a key named verification-config in the Configmap. + description: |- + Name of VerificationConfig configmap in the same namespace, containing + Sigstore verification configuration. The configuration must be under a + key named verification-config in the Configmap. type: string required: - image @@ -1644,47 +1593,50 @@ spec: description: PolicyServerStatus defines the observed state of PolicyServer properties: conditions: - description: 'Conditions represent the observed conditions of the - PolicyServer resource. Known .status.conditions.types are: "PolicyServerSecretReconciled", - "PolicyServerDeploymentReconciled" and "PolicyServerServiceReconciled"' + description: |- + Conditions represent the observed conditions of the + PolicyServer resource. Known .status.conditions.types + are: "PolicyServerSecretReconciled", + "PolicyServerDeploymentReconciled" and + "PolicyServerServiceReconciled" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1698,11 +1650,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1740,14 +1693,19 @@ spec: description: PolicyServer is the Schema for the policyservers API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1757,10 +1715,11 @@ spec: annotations: additionalProperties: type: string - description: 'Annotations is an unstructured key value map stored - with a resource that may be set by external tools to store and retrieve - arbitrary metadata. They are not queryable and should be preserved - when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: http://kubernetes.io/docs/user-guide/annotations type: object env: description: List of environment variables to set in the container. @@ -1772,15 +1731,16 @@ spec: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using - the previously defined environment variables in the container - and any service environment variables. If a variable cannot - be resolved, the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the - string literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists or - not. Defaults to "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's value. Cannot @@ -1793,8 +1753,15 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its key @@ -1803,11 +1770,11 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, - status.podIP, status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath is @@ -1820,11 +1787,11 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for volumes, @@ -1844,6 +1811,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: @@ -1852,8 +1820,15 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must @@ -1862,6 +1837,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -1871,14 +1847,16 @@ spec: description: Docker image name. type: string imagePullSecret: - description: Name of ImagePullSecret secret in the same namespace, - used for pulling policies from repositories. + description: |- + Name of ImagePullSecret secret in the same namespace, used for pulling + policies from repositories. type: string insecureSources: - description: List of insecure URIs to policy repositories. The `insecureSources` + description: |- + List of insecure URIs to policy repositories. The `insecureSources` content format corresponds with the contents of the `insecure_sources` - key in `sources.yaml`. Reference for `sources.yaml` is found in - the Kubewarden documentation in the reference section. + key in `sources.yaml`. Reference for `sources.yaml` is found in the + Kubewarden documentation in the reference section. items: type: string type: array @@ -1887,25 +1865,28 @@ spec: format: int32 type: integer serviceAccountName: - description: Name of the service account associated with the policy - server. Namespace service account will be used if not specified. + description: |- + Name of the service account associated with the policy server. + Namespace service account will be used if not specified. type: string sourceAuthorities: additionalProperties: items: type: string type: array - description: Key value map of registry URIs endpoints to a list of - their associated PEM encoded certificate authorities that have to - be used to verify the certificate used by the endpoint. The `sourceAuthorities` - content format corresponds with the contents of the `source_authorities` - key in `sources.yaml`. Reference for `sources.yaml` is found in - the Kubewarden documentation in the reference section. + description: |- + Key value map of registry URIs endpoints to a list of their associated + PEM encoded certificate authorities that have to be used to verify the + certificate used by the endpoint. The `sourceAuthorities` content format + corresponds with the contents of the `source_authorities` key in + `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden + documentation in the reference section. type: object verificationConfig: - description: Name of VerificationConfig configmap in the same namespace, - containing Sigstore verification configuration. The configuration - must be under a key named verification-config in the Configmap. + description: |- + Name of VerificationConfig configmap in the same namespace, containing + Sigstore verification configuration. The configuration must be under a + key named verification-config in the Configmap. type: string required: - image @@ -1915,47 +1896,50 @@ spec: description: PolicyServerStatus defines the observed state of PolicyServer properties: conditions: - description: 'Conditions represent the observed conditions of the - PolicyServer resource. Known .status.conditions.types are: "PolicyServerSecretReconciled", - "PolicyServerDeploymentReconciled" and "PolicyServerServiceReconciled"' + description: |- + Conditions represent the observed conditions of the + PolicyServer resource. Known .status.conditions.types + are: "PolicyServerSecretReconciled", + "PolicyServerDeploymentReconciled" and + "PolicyServerServiceReconciled" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1969,11 +1953,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1996,9 +1981,3 @@ spec: storage: false subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/kubewarden-defaults/Chart.yaml b/charts/kubewarden-defaults/Chart.yaml index 88733777..a1b94aac 100644 --- a/charts/kubewarden-defaults/Chart.yaml +++ b/charts/kubewarden-defaults/Chart.yaml @@ -22,9 +22,9 @@ keywords: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.0.0 +version: 2.0.1-rc1 # This is the version of Kubewarden stack -appVersion: v1.12.0 +appVersion: v1.13.0-rc1 annotations: # required ones: catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart @@ -35,8 +35,8 @@ annotations: catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation # optional ones: catalog.cattle.io/hidden: "true" # Hide specific charts. Only use on CRD charts. - catalog.cattle.io/upstream-version: 2.0.0 - catalog.cattle.io/auto-install: kubewarden-crds=1.5.0 + catalog.cattle.io/upstream-version: 2.0.1-rc1 + catalog.cattle.io/auto-install: kubewarden-crds=1.5.1-rc1 # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template` # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`. catalog.cattle.io/type: cluster-tool diff --git a/charts/kubewarden-defaults/values.yaml b/charts/kubewarden-defaults/values.yaml index d5af9743..c11fb9d7 100644 --- a/charts/kubewarden-defaults/values.yaml +++ b/charts/kubewarden-defaults/values.yaml @@ -62,7 +62,7 @@ policyServer: image: # The registry is defined in the global.cattle.systemDefaultRegistry value repository: "kubewarden/policy-server" - tag: v1.12.0 + tag: v1.13.0-rc1 serviceAccountName: policy-server # verificationConfig: your_configmap # Configmap containing a Sigstore verification configuration under a key