Space API
The Space API describes the types and parameters for the core Space components.
- ‘object’ - The object from the incoming request. The value is null for DELETE requests.
- ‘oldObject’ - The existing object. The value is null for CREATE requests.
- ‘request’ - Attributes of the API request(ref).
- ‘params’ - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
- ’namespaceObject’ - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
- ‘variables’ - Map of composited variables, from its name to its lazily evaluated value. For example, a variable named ‘foo’ can be accessed as ‘variables.foo’.
- ‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- ‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the request resource.
- ‘__’ escapes to ‘underscores’
- ‘.’ escapes to ‘dot’
- ‘-’ escapes to ‘dash’
- ‘/’ escapes to ‘slash’
- Property names that exactly match a CEL RESERVED keyword escape to ‘{keyword}’. The keywords are:
’true’, ‘false’, ’null’, ‘in’, ‘as’, ‘break’, ‘const’, ‘continue’, ’else’, ‘for’, ‘function’, ‘if’,
‘import’, ’let’, ’loop’, ‘package’, ’namespace’, ‘return’.
Examples:
- Expression accessing a property named ’namespace’: {‘Expression’: ‘object.namespace > 0’}
- Expression accessing a property named ‘x-prop’: {‘Expression’: ‘object.x__dash__prop > 0’}
- Expression accessing a property named ‘redact__d’: {‘Expression’: ‘object.redact__underscores__d > 0’}
- ‘set’:
X + Yperforms a union where the array positions of all elements inXare preserved and non-intersecting elements inYare appended, retaining their partial order. - ‘map’:
X + Yperforms a merge where the array positions of all keys inXare preserved but the values are overwritten by values inYwhen the key sets ofXandYintersect. Elements inYwith non-intersecting keys are appended, retaining their partial order. Required. If
paramKindis cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.If
paramKindis namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.
policy.spaces.upbound.io/v1alpha1
Expand All
Collapse All
policy.spaces.upbound.io/v1alpha1
SharedUpboundPolicy specifies a shared Kyverno policy projected into the specified
ControlPlanes of the same namespace as SharedUpboundPolicy.
SharedUpboundPolicySpec defines the desired state of SharedUpboundPolicy.
Default:
Admission controls if rules are applied during admission.
Optional. Default value is ’true'.trueApplyRules controls how rules in a policy are applied. Rule are processed in
the order of declaration. When set to
One processing stops after a rule has
been applied i.e. the rule matches and results in a pass, fail, or error. When
set to All all rules in the policy are processed. The default is All.Default:
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is ’true’. The value must be set to ‘false’ if the policy rule
uses variables that are only available in the admission review request (e.g. user name).trueThe policy is projected only to control planes
matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches.
In case when the list is empty, resource is matched too.
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead
GetFailurePolicy() should be used.
Allowed values are Ignore or Fail. Defaults to Fail.GenerateExisting controls whether to trigger generate rule in existing resources
If is set to ’true’ generate rule will be triggered and applied to existing matched resources.
Defaults to ‘false’ if not specified.
MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
Default value is ‘false’.
PolicyName is the name to use when creating policy within a control plane.
optional, if not set, SharedUpboundPolicy name will be used.
When set, it is immutable.
Rules is a list of Rule instances. A Policy contains multiple rules and
each rule can validate, mutate, or generate resources.
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
set of CEL conditions. It can only be used with the validate.cel subrule
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
‘object’ - The object from the incoming request. The value is null for DELETE requests. ‘oldObject’ - The existing object. The value is null for CREATE requests. ‘request’ - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). ‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz ‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, ‘-’, ‘’ or ‘.’, and must start and end with an alphanumeric character (e.g. ‘MyName’, or ‘my.name’, or ‘123-abc’, regex used for validation is ‘([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]’) with an optional DNS subdomain prefix and ‘/’ (e.g. ’example.com/MyName’)
Required.
Context defines variables and data sources that can be used during rule execution.
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
The data returned is stored in the context with the name for the context entry.
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
a JMESPath of ‘items | length(@)’ applied to the API server response
for the URLPath ‘/apis/apps/v1/deployments’ will return the total count
of deployments across all namespaces.
URLPath is the URL path to be used in the HTTP GET or POST request to the
Kubernetes API server (e.g. ‘/api/v1/namespaces’ or ‘/apis/apps/v1/deployments’).
The format required is the same format used by the
kubectl get --raw command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
ExcludeResources defines when this policy rule should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
All allows specifying resources which will be ANDed
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters ‘*’ (matches zero or many characters) and
‘?’ (matches at least one character).
Name is the name of the resource. The name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in
matchLabels support the wildcard characters * (matches zero or many characters)
and ? (matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.Namespaces is a list of namespaces names. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in
matchLabels support the wildcard
characters * (matches zero or many characters) and ? (matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject.
Defaults to ’’ for ServiceAccount subjects.
Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Any allows specifying resources which will be ORed
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters ‘*’ (matches zero or many characters) and
‘?’ (matches at least one character).
Name is the name of the resource. The name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in
matchLabels support the wildcard characters * (matches zero or many characters)
and ? (matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.Namespaces is a list of namespaces names. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in
matchLabels support the wildcard
characters * (matches zero or many characters) and ? (matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject.
Defaults to ’’ for ServiceAccount subjects.
Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under ‘any’ or ‘all’ instead.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters ‘*’ (matches zero or many characters) and
‘?’ (matches at least one character).
Name is the name of the resource. The name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in
matchLabels support the wildcard characters * (matches zero or many characters)
and ? (matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.Namespaces is a list of namespaces names. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in
matchLabels support the wildcard
characters * (matches zero or many characters) and ? (matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject.
Defaults to ’’ for ServiceAccount subjects.
Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Generation is used to create new resources.
CloneList specifies the list of source resource used to populate each generated resource.
Selector is a label selector. Label keys and values in
matchLabels.
wildcard characters are not supported.Data provides the resource declaration used to populate each generated resource.
At most one of Data or Clone must be specified. If neither are provided, the generated
resource will be created with default data only.
Synchronize controls if generated resources should be kept in-sync with their source resource.
If Synchronize is set to ’true’ changes to generated resources will be overwritten with resource
data from Data or the resource specified in the Clone declaration.
Optional. Defaults to ‘false’ if not specified.
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
This config is only valid for verifyImages rules.
MatchResources defines when this policy rule should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
All allows specifying resources which will be ANDed
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters ‘*’ (matches zero or many characters) and
‘?’ (matches at least one character).
Name is the name of the resource. The name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in
matchLabels support the wildcard characters * (matches zero or many characters)
and ? (matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.Namespaces is a list of namespaces names. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in
matchLabels support the wildcard
characters * (matches zero or many characters) and ? (matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject.
Defaults to ’’ for ServiceAccount subjects.
Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Any allows specifying resources which will be ORed
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters ‘*’ (matches zero or many characters) and
‘?’ (matches at least one character).
Name is the name of the resource. The name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in
matchLabels support the wildcard characters * (matches zero or many characters)
and ? (matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.Namespaces is a list of namespaces names. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in
matchLabels support the wildcard
characters * (matches zero or many characters) and ? (matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject.
Defaults to ’’ for ServiceAccount subjects.
Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
ResourceDescription contains information about the resource being created or modified.
Requires at least one tag to be specified when under MatchResources.
Specifying ResourceDescription directly under match is being deprecated.
Please specify under ‘any’ or ‘all’ instead.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters ‘*’ (matches zero or many characters) and
‘?’ (matches at least one character).
Name is the name of the resource. The name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in
matchLabels support the wildcard characters * (matches zero or many characters)
and ? (matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.Namespaces is a list of namespaces names. Each name supports wildcard characters
‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in
matchLabels support the wildcard
characters * (matches zero or many characters) and ? (matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject.
Defaults to ’’ for ServiceAccount subjects.
Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Mutation is used to modify matching resources.
ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
Context defines variables and data sources that can be used during rule execution.
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
The data returned is stored in the context with the name for the context entry.
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
a JMESPath of ‘items | length(@)’ applied to the API server response
for the URLPath ‘/apis/apps/v1/deployments’ will return the total count
of deployments across all namespaces.
URLPath is the URL path to be used in the HTTP GET or POST request to the
Kubernetes API server (e.g. ‘/api/v1/namespaces’ or ‘/apis/apps/v1/deployments’).
The format required is the same format used by the
kubectl get --raw command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
List specifies a JMESPath expression that results in one or more elements
to which the validation logic is applied.
Order defines the iteration order on the list.
Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
set of conditions. The declaration can contain nested
any or all statements.
See: https://kyverno.io/docs/writing-policies/preconditions/AllConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, all of the conditions need to pass
AnyConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, at least one of the conditions need to pass
PatchStrategicMerge is a strategic merge patch used to modify resources.
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
Targets defines the target resources to be mutated.
Context defines variables and data sources that can be used during rule execution.
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
The data returned is stored in the context with the name for the context entry.
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
a JMESPath of ‘items | length(@)’ applied to the API server response
for the URLPath ‘/apis/apps/v1/deployments’ will return the total count
of deployments across all namespaces.
URLPath is the URL path to be used in the HTTP GET or POST request to the
Kubernetes API server (e.g. ‘/api/v1/namespaces’ or ‘/apis/apps/v1/deployments’).
The format required is the same format used by the
kubectl get --raw command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
Preconditions are used to determine if a policy rule should be applied by evaluating a
set of conditions. The declaration can contain nested
any or all statements. A direct list
of conditions (without any or all statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/Preconditions are used to determine if a policy rule should be applied by evaluating a
set of conditions. The declaration can contain nested
any or all statements. A direct list
of conditions (without any or all statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/Default:
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
The default value is set to ’true’, it must be set to ‘false’ to apply
generate and mutateExisting rules to those requests.trueValidation is used to validate matching resources.
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: ‘{ValidatingAdmissionPolicy name}/{key}’.
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.
Required.
valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.
If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.
Required.
Expressions is a list of CELExpression types.
Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
The apiVersion, kind, metadata.name and metadata.generateName are always accessible from the root of the
object. No other metadata properties are accessible.
Only property names of the form [a-zA-Z_.-/][a-zA-Z0-9_.-/]* are accessible.
Accessible property names are escaped according to the following rules when accessed in the expression:
Equality on arrays with list type of ‘set’ or ‘map’ ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
Message represents the message displayed when validation fails. The message is required if the Expression contains
line breaks. The message must not contain line breaks.
If unset, the message is ‘failed rule: {Rule}’.
e.g. ‘must be a URL with the host matching spec.host’
If the Expression contains line breaks. Message is required.
The message must not contain line breaks.
If unset, the message is ‘failed Expression: {Expression}’.
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
Since messageExpression is used as a failure message, it must evaluate to a string.
If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
messageExpression has access to all the same variables as the
expression except for ‘authorizer’ and ‘authorizer.requestResource’.
Example:
‘object.x must be less than max (’+string(params.max)+’)’Reason represents a machine-readable description of why this validation failed.
If this is the first validation in the list to fail, this reason, as well as the
corresponding HTTP response code, are used in the
HTTP response to the client.
The currently supported reasons are: ‘Unauthorized’, ‘Forbidden’, ‘Invalid’, ‘RequestEntityTooLarge’.
If not set, StatusReasonInvalid is used in the response to the client.
ParamRef references a parameter resource.
name is the name of the resource being referenced.
name and selector are mutually exclusive properties. If one is set,
the other must be unset.
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both name and
selector fields.
A per-namespace parameter may be used by specifying a namespace-scoped
paramKind in the policy and leaving this field empty.
parameterNotFoundAction controls the behavior of the binding when the resource
exists, and name or selector is valid, but there are no parameters
matched by the binding. If the value is set to Allow, then no
matched parameters will be treated as successful validation by the binding.
If set to Deny, then no matched parameters will be subject to the
failurePolicy of the policy.
Allowed values are Allow or Deny
Default to Deny
selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.
If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.
One of name or selector must be set, but name and selector are
mutually exclusive properties. If one is set, the other must be unset.
Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
variables in other expressions of the policy.Deny defines conditions used to pass or fail a validation rule.
Multiple conditions can be declared under an
any or all statement. A direct list
of conditions (without any or all statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rulesForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
Context defines variables and data sources that can be used during rule execution.
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
The data returned is stored in the context with the name for the context entry.
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
a JMESPath of ‘items | length(@)’ applied to the API server response
for the URLPath ‘/apis/apps/v1/deployments’ will return the total count
of deployments across all namespaces.
URLPath is the URL path to be used in the HTTP GET or POST request to the
Kubernetes API server (e.g. ‘/api/v1/namespaces’ or ‘/apis/apps/v1/deployments’).
The format required is the same format used by the
kubectl get --raw command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
Deny defines conditions used to pass or fail a validation rule.
Multiple conditions can be declared under an
any or all statement. A direct list
of conditions (without any or all statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rulesElementScope specifies whether to use the current list element as the scope for validation. Defaults to ’true’ if not specified.
When set to ‘false’, ‘request.object’ is used as the validation scope within the foreach
block to allow referencing other elements in the subtree.
List specifies a JMESPath expression that results in one or more elements
to which the validation logic is applied.
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
set of conditions. The declaration can contain nested
any or all statements.
See: https://kyverno.io/docs/writing-policies/preconditions/AllConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, all of the conditions need to pass
AnyConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, at least one of the conditions need to pass
Manifest specifies conditions for manifest verification
AnnotationDomain is custom domain of annotation for message and signature. Default is ‘cosign.sigstore.dev’.
Attestors specified the required attestors (i.e. authorities)
Count specifies the required number of entries that must match. If the count is null, all entries must match
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
Entries contains the available attestors. An attestor can be a static key,
attributes for keyless verification, or a nested attestor declaration.
Annotations are used for image verification.
Every specified key-value pair must exist and match in the verified payload.
The payload may contain other key-value pairs.
Certificates specifies one or more certificates.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Keys specifies one or more public keys.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
KMS provides the URI to the public key stored in a Key Management System. See:
https://github.com/sigstore/cosign/blob/main/KMS.md
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
specified or can be a variable reference to a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying it in the format ‘k8s:///<secret_name>’.
The named Secret must specify a key
cosign.pub containing the public key used for
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each key is processed as a separate staticKey entry
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
PodSecurity applies exemptions for Kubernetes Pod Security admission
by specifying exclusions for Pod Security Standards controls.
Exclude specifies the Pod Security Standard controls to be excluded.
ControlName specifies the name of the Pod Security Standard control.
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Images selects matching containers and applies the container level PSS.
Each image is the image name consisting of the registry address, repository, image, and tag.
Empty list matches no containers, PSS checks are applied at the pod level only.
Wildcards (’*’ and ‘?’) are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
VerifyImages is used to verify image signatures and mutate them to add a digest
Attestations are optional checks for signed in-toto Statements used to verify the image.
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
OCI registry and decodes them into a list of Statement declarations.
Attestors specify the required attestors (i.e. authorities).
Count specifies the required number of entries that must match. If the count is null, all entries must match
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
Entries contains the available attestors. An attestor can be a static key,
attributes for keyless verification, or a nested attestor declaration.
Annotations are used for image verification.
Every specified key-value pair must exist and match in the verified payload.
The payload may contain other key-value pairs.
Certificates specifies one or more certificates.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Keys specifies one or more public keys.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
KMS provides the URI to the public key stored in a Key Management System. See:
https://github.com/sigstore/cosign/blob/main/KMS.md
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
specified or can be a variable reference to a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying it in the format ‘k8s:///<secret_name>’.
The named Secret must specify a key
cosign.pub containing the public key used for
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each key is processed as a separate staticKey entry
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Conditions are used to verify attributes within a Predicate. If no Conditions are specified
the attestation check is satisfied as long there are predicates that match the predicate type.
AllConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, all of the conditions need to pass
AnyConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, at least one of the conditions need to pass
Attestors specified the required attestors (i.e. authorities)
Count specifies the required number of entries that must match. If the count is null, all entries must match
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
Entries contains the available attestors. An attestor can be a static key,
attributes for keyless verification, or a nested attestor declaration.
Annotations are used for image verification.
Every specified key-value pair must exist and match in the verified payload.
The payload may contain other key-value pairs.
Certificates specifies one or more certificates.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Keys specifies one or more public keys.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
KMS provides the URI to the public key stored in a Key Management System. See:
https://github.com/sigstore/cosign/blob/main/KMS.md
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
specified or can be a variable reference to a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying it in the format ‘k8s:///<secret_name>’.
The named Secret must specify a key
cosign.pub containing the public key used for
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each key is processed as a separate staticKey entry
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.Rekor provides configuration for the Rekor transparency log service. If an empty object
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
ImageReferences is a list of matching image reference patterns. At least one pattern in the
list must match the image for the rule to apply. Each image reference consists of a registry
address (defaults to docker.io), repository, image, and tag (defaults to latest).
Wildcards (’*’ and ‘?’) are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
If specified Repository will override the default OCI image repository configured for the installation.
The repository can also be overridden per Attestor or Attestation.
SchemaValidation skips validation checks for policies as well as patched resources.
Optional. The default value is set to ’true’, it must be set to ‘false’ to disable the validation checks.
UseServerSideApply controls whether to use server-side apply for generate rules
If is set to ’true’ create & update for generate rules will use apply instead of create/update.
Defaults to ‘false’ if not specified.
Default:
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is ‘Audit’.AuditValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
SharedUpboundPolicyStatus defines the observed state of the projected polcies.
list of provisioning failures.
List of conditions.
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
message is a human readable message indicating details about the transition.
This may be an empty string.
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
reason contains a programmatic identifier indicating the reason for the condition’s last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
type of condition in CamelCase or in foo.example.com/CamelCase.
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
spaces.upbound.io/v1alpha1
Expand All
Collapse All
spaces.upbound.io/v1alpha1
Backup represents a single backup of a ControlPlane.
BackupSpec defines a backup over a set of ControlPlanes.
spaces.upbound.io/v1alpha1
Expand All
Collapse All
spaces.upbound.io/v1alpha1
BackupSchedule represents a single ControlPlane schedule for Backups.
BackupScheduleSpec defines a backup schedule over a set of ControlPlanes.
ControlPlane is the name of the ControlPlane to which the schedule
applies.
Requires ‘get’ permission on the referenced ControlPlane.
ExcludedResources is a slice of resource names that are not
included in the backup. Used to filter the included extra resources.
Schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
Suspend specifies whether the schedule is suspended. If true, no
Backups will be created, but running backups will be allowed to
complete.
spaces.upbound.io/v1beta1
Expand All
Collapse All
spaces.upbound.io/v1beta1
ControlPlane defines a managed Crossplane instance.
A ControlPlaneSpec represents the desired state of the ControlPlane.
[[GATE:EnableControlPlaneBackup]] THIS IS AN ALPHA FIELD. Do not use it in production. Backup specifies details about the control planes backup configuration.
StorageLocation specifies details about the control planes underlying storage location where backups are stored or retrieved.
Crossplane defines the configuration for Crossplane.
Default:
AutoUpgrades defines the auto upgrade configuration for Crossplane.map[channel:Stable]Default:
Channel defines the upgrade channels for Crossplane. We support the following channels where ‘Stable’ is the default: - None: disables auto-upgrades and keeps the control plane at its current version of Crossplane. - Patch: automatically upgrades the control plane to the latest supported patch version when it becomes available while keeping the minor version the same. - Stable: automatically upgrades the control plane to the latest supported patch release on minor version N-1, where N is the latest supported minor version. - Rapid: automatically upgrades the cluster to the latest supported patch release on the latest supported minor version.StableDefault:
DeletionPolicy specifies what will happen to the underlying external resource when this managed resource is deleted - either ‘Delete’ or ‘Orphan’ the external resource. This field is planned to be deprecated in favor of the ManagementPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223DeleteDefault:
THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md[*]PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
Default:
SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret.map[name:default]Metadata is the metadata for connection secret.
Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as ‘metadata.annotations’. - It is up to Secret Store implementation for others store types.
[[GATE:EnableGitSource]] THIS IS AN ALPHA FIELD. Do not use it in production. Source points to a Git repository containing a ControlPlaneSource manifest with the desired state of the ControlPlane’s configuration.
Git is the configuration for a Git repository to pull the Control Plane Source from.
Default:
Auth is the authentication configuration to access the Git repository. Default is no authentication.map[type:None]CASecretRef is a reference to a Secret containing CA certificates to use to verify the Git server’s certificate. The secret must contain the key ‘ca.crt’ where the content is a CA certificate. The type of the secret can be ‘Opaque’ or ‘kubernetes.io/tls’.
SSH is the configuration for SSH authentication. Note that the URL must use the SSH protocol (e.g. ssh://github.com/org/repo.git).
Default:
Type of the authentication to use. Options are: None, Basic (username/password), BearerToken, SSH. Default is None. The corresponding fields must be set for the chosen authentication type.
If you are looking to use OAuth tokens with popular servers (e.g. GitHub, Bitbucket, GitLab) you should use BasicAuth instead of BearerToken. These servers use basic HTTP authentication, with the OAuth token as user or password. Check the documentation of your git server for details.NoneDefault:
Path is the path within the Git repository to pull the Control Plane Source from. The folder it points to must contain a valid ControlPlaneSource manifest. Default is the root of the repository./Default:
PullInterval is the interval at which the Git repository should be polled for changes. The format is 1h2m3s. Default is 90s. Minimum is 15s.90sWriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
If omitted, it is defaulted to the namespace of the ControlPlane.
A ControlPlaneStatus represents the observed state of a ControlPlane.
spaces.upbound.io/v1alpha1
Expand All
Collapse All
spaces.upbound.io/v1alpha1
SharedBackupConfig defines the configuration to backup and restore ControlPlanes.
A SharedBackupConfigSpec represents the configuration to backup or restore
ControlPlanes using Velero.
ObjectStorage specifies the object storage configuration for the given provider.
Config is a free-form map of configuration options for the object storage provider.
See https://github.com/thanos-io/objstore?tab=readme-ov-file for more
information on the formats for each supported cloud provider. Bucket and
Provider will override the required values in the config.
spaces.upbound.io/v1alpha1
Expand All
Collapse All
spaces.upbound.io/v1alpha1
SharedBackup defines a backup over a set of ControlPlanes.
SharedBackupSpec defines a backup over a set of ControlPlanes.
ControlPlaneSelector defines the selector for ControlPlanes to backup.
Requires ‘backup’ permission on all ControlPlanes in the same namespace.
A resource is matched if any of the label selector matches.
In case when the list is empty, resource is matched too.
ExcludedResources is a slice of resource names that are not
included in the backup. Used to filter the included extra resources.
spaces.upbound.io/v1alpha1
Expand All
Collapse All
spaces.upbound.io/v1alpha1
SharedBackupSchedule defines a schedule for SharedBackup on a set of
ControlPlanes.
SharedBackupScheduleSpec defines the desired state of a SharedBackupSchedule.
ControlPlaneSelector defines the selector for ControlPlanes to backup.
Requires ‘backup’ permission on all ControlPlanes in the same namespace.
A resource is matched if any of the label selector matches.
In case when the list is empty, resource is matched too.
ExcludedResources is a slice of resource names that are not
included in the backup. Used to filter the included extra resources.
Schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
Suspend specifies whether the schedule is suspended. If true, no
Backups will be created, but running backups will be allowed to
complete.
spaces.upbound.io/v1alpha1
Expand All
Collapse All
spaces.upbound.io/v1alpha1
SharedExternalSecret specifies a shared ExternalSecret projected into the specified ControlPlanes of the same namespace as ClusterExternalSecret and with that propagated into the specified namespaces.
SharedExternalSecretSpec defines the desired state of SharedExternalSecret.
The secret is projected only to control planes matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
ExternalSecretName is the name to use when creating external secret within a control plane. optional, if not set, SharedExternalSecret name will be used. When set, it is immutable.
The spec for the ExternalSecrets to be created.
Data defines the connection between the Kubernetes Secret keys and the Provider data
SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
Default:
RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are ’ns’, ‘us’ (or ‘µs’), ‘ms’, ’s’, ’m’, ‘h’ May be set to zero to fetch and create it once. Defaults to 1h.1hDefault:
ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.map[creationPolicy:Owner deletionPolicy:Retain]Default:
CreationPolicy defines rules on how to create the resulting Secret Defaults to ‘Owner’OwnerDefault:
DeletionPolicy defines rules on how to delete the resulting Secret Defaults to ‘Retain’RetainName defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
The projected secret can be consumed only within namespaces matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
spaces.upbound.io/v1alpha1
Expand All
Collapse All
spaces.upbound.io/v1alpha1
SharedSecretStore represents a shared SecretStore projected as ClusterSecretStore into matching ControlPlanes in the same namespace. Once projected into a ControlPlane, it can be referenced from ExternalSecret instances, as part of
storeRef fields. The secret store configuration including referenced credential are not leaked into the ControlPlanes and in that sense can be called secure as they are invisible to the ControlPlane workloads.SharedSecretStoreSpec defines the desired state of SecretStore.
The store is projected only to control planes matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
The projected secret store can be consumed only within namespaces matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
Used to configure the provider. Only one provider may be set.
Akeyless configures this store to sync secrets using Akeyless Vault provider
Auth configures how the operator authenticates with Akeyless.
Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key,
token is the default. If one is not specified, the one bound to the controller will be used.Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
Reference to a Secret that contains the details to authenticate with Akeyless.
PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
Alibaba configures this store to sync secrets using Alibaba Cloud provider
AlibabaAuth contains a secretRef for credentials.
AlibabaAuthSecretRef holds secret references for Alibaba credentials.
AWS configures this store to sync secrets using AWS Secret Manager provider
AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
Specifies whether to delete the secret without any recovery window. You can’t use both this parameter and RecoveryWindowInDays in the same call. If you don’t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can’t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don’t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
AzureKV configures this store to sync secrets using Azure Key Vault provider
Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
Default:
Auth type defines how to authenticate to the keyvault service. Valid values are: - ‘ServicePrincipal’ (default): Using a service principal (tenantId, clientId, clientSecret) - ‘ManagedIdentity’: Using Managed Identity assigned to the pod (see aad-pod-identity)ServicePrincipalDefault:
EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloudPublicCloudServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
Conjur configures this store to sync secrets using conjur provider
Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the
TokenRequest API.Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
TLD is based on the server location that was chosen during provisioning. If unset, defaults to ‘com’.
URLTemplate If unset, defaults to ‘https://%s.secretsvaultcloud.%s/v1/%s%s’.
Doppler configures this store to sync secrets using the Doppler provider
Auth configures how the Operator authenticates with the Doppler API
The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
Auth defines the information necessary to authenticate against GCP
GitLab configures this store to sync secrets using GitLab Variables provider
Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
IBM configures this store to sync secrets using IBM Cloud provider
KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
Auth configures how secret-manager authenticates with a Kubernetes instance.
has both clientCert and clientKey as secretKeySelector
OnePassword configures this store to sync secrets using the 1Password Cloud provider
Auth defines the information necessary to authenticate against OnePassword Connect Server
Oracle configures this store to sync secrets using Oracle Vault provider
Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
SecretRef to pass through sensitive information.
The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
Scaleway
APIURL is the url of the api to use. Defaults to https://api.scaleway.com
ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings
Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone
Senhasegura configures this store to sync secrets using senhasegura provider
Auth defines parameters to authenticate in senhasegura
Vault configures this store to sync secrets using Hashi provider
Auth configures how secret-manager authenticates with the Vault server.
AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The
key field must be specified and denotes which entry within the Secret resource is used as the app role id.Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The
key field must be specified and denotes which entry within the Secret resource is used as the app role secret.Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
Specify credentials in a Secret object
The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the
TokenRequest API.Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by
serviceAccountRef. Defaults to a single audience vault it not specified. Deprecated: use serviceAccountRef.Audiences insteadOptional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by
serviceAccountRef. Deprecated: this will be removed in the future. Defaults to 10 minutes.Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
Default:
Path where the Kubernetes authentication backend is mounted in Vault, e.g: ‘kubernetes’kubernetesA required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key,
token is the default. If one is not specified, the one bound to the controller will be used.Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
UserPass authenticates with Vault by passing username/password pair
PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: ’ns1’. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
Path is the mount path of the Vault KV backend endpoint, e.g: ‘secret’. The v2 KV secret engine version specific ‘/data’ path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.
ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
Server is the connection address for the Vault server, e.g: ‘https://vault.example.com:8200’.
Webhook configures this store to sync secrets using a generic templated webhook
PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
