The Space API describes the types and parameters for the core Space components.
true
One
processing stops after a rule has
been applied i.e. the rule matches and results in a pass, fail, or error. When
set to All
all rules in the policy are processed. The default is All
.true
GetFailurePolicy()
should be used.
Allowed values are Ignore or Fail. Defaults to Fail.Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
‘object’ - The object from the incoming request. The value is null for DELETE requests. ‘oldObject’ - The existing object. The value is null for CREATE requests. ‘request’ - Attributes of the admission request(https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest). ‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz ‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, ‘-’, ‘’ or ‘.’, and must start and end with an alphanumeric character (e.g. ‘MyName’, or ‘my.name’, or ‘123-abc’, regex used for validation is ‘([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]’) with an optional DNS subdomain prefix and ‘/’ (e.g. ’example.com/MyName’)
Required.
kubectl get --raw
command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.matchLabels
.
wildcard characters are not supported.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.kubectl get --raw
command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.any
or all
statements.
See: https://kyverno.io/docs/writing-policies/preconditions/kubectl get --raw
command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.any
or all
statements. A direct list
of conditions (without any
or all
statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/any
or all
statements. A direct list
of conditions (without any
or all
statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/true
key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: ‘{ValidatingAdmissionPolicy name}/{key}’.
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.
Required.
valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.
If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.
Required.
Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
- ‘object’ - The object from the incoming request. The value is null for DELETE requests.
- ‘oldObject’ - The existing object. The value is null for CREATE requests.
- ‘request’ - Attributes of the API request(ref).
- ‘params’ - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
- ’namespaceObject’ - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
- ‘variables’ - Map of composited variables, from its name to its lazily evaluated value. For example, a variable named ‘foo’ can be accessed as ‘variables.foo’.
- ‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- ‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the request resource.
The apiVersion
, kind
, metadata.name
and metadata.generateName
are always accessible from the root of the
object. No other metadata properties are accessible.
Only property names of the form [a-zA-Z_.-/][a-zA-Z0-9_.-/]*
are accessible.
Accessible property names are escaped according to the following rules when accessed in the expression:
- ‘__’ escapes to ‘underscores’
- ‘.’ escapes to ‘dot’
- ‘-’ escapes to ‘dash’
- ‘/’ escapes to ‘slash’
- Property names that exactly match a CEL RESERVED keyword escape to ‘{keyword}’. The keywords are:
’true’, ‘false’, ’null’, ‘in’, ‘as’, ‘break’, ‘const’, ‘continue’, ’else’, ‘for’, ‘function’, ‘if’,
‘import’, ’let’, ’loop’, ‘package’, ’namespace’, ‘return’.
Examples:
- Expression accessing a property named ’namespace’: {‘Expression’: ‘object.namespace > 0’}
- Expression accessing a property named ‘x-prop’: {‘Expression’: ‘object.x__dash__prop > 0’}
- Expression accessing a property named ‘redact__d’: {‘Expression’: ‘object.redact__underscores__d > 0’}
Equality on arrays with list type of ‘set’ or ‘map’ ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
- ‘set’:
X + Y
performs a union where the array positions of all elements inX
are preserved and non-intersecting elements inY
are appended, retaining their partial order. - ‘map’:
X + Y
performs a merge where the array positions of all keys inX
are preserved but the values are overwritten by values inY
when the key sets ofX
andY
intersect. Elements inY
with non-intersecting keys are appended, retaining their partial order. Required.
expression
except for ‘authorizer’ and ‘authorizer.requestResource’.
Example:
‘object.x must be less than max (’+string(params.max)+’)’name
is the name of the resource being referenced.
name
and selector
are mutually exclusive properties. If one is set,
the other must be unset.
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both name
and
selector
fields.
A per-namespace parameter may be used by specifying a namespace-scoped
paramKind
in the policy and leaving this field empty.
If
paramKind
is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.If
paramKind
is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.
parameterNotFoundAction
controls the behavior of the binding when the resource
exists, and name or selector is valid, but there are no parameters
matched by the binding. If the value is set to Allow
, then no
matched parameters will be treated as successful validation by the binding.
If set to Deny
, then no matched parameters will be subject to the
failurePolicy
of the policy.
Allowed values are Allow
or Deny
Default to Deny
selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.
If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.
One of name
or selector
must be set, but name
and selector
are
mutually exclusive properties. If one is set, the other must be unset.
variables
in other expressions of the policy.any
or all
statement. A direct list
of conditions (without any
or all
statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-ruleskubectl get --raw
command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.any
or all
statement. A direct list
of conditions (without any
or all
statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rulesany
or all
statements.
See: https://kyverno.io/docs/writing-policies/preconditions/