The Space API describes the types and parameters for the core Space components.

Kind
Group/Version
authorization.spaces.upbound.io/v1alpha1
authorization.spaces.upbound.io/v1alpha1
A ObjectRoleBinding binds a namespaced API object to a set of subjects, at varying access levels. For now, there can be at most one ObjectRoleBinding pointing to each API object.
ObjectRoleBindingSpec is ObjectRoleBinding’s spec.
Object references the object to which the listed subjects should have access at varying levels. The object value is immutable after creation.
APIGroup defines the apiGroup of the object being pointed to. With some minor differences, this is essentially matched as a DNS subdomain, like how Kubernetes validates it. The Kubernetes legacy core group is denoted as ‘core’.
Name points to the .metadata.name of the object targeted. Kubernetes validates this as a DNS 1123 subdomain.
Resource defines the resource type (often kind in plural, e.g. controlplanes) being pointed to. With some minor differences, this is essentially matched as a DNS label, like how Kubernetes validates it.
Subjects should be a map type with both kind+name as a key
Kind of subject being referenced. Values defined by this API group are for now only ‘UpboundTeam’.
Name (identifier) of the subject (of the specified kind) being referenced. The identifier must be 2-100 chars, [a-zA-Z0-9-], no repeating dashes, can’t start/end with a dash. Notably, a UUID fits that format.
Role this subject has on the associated Object. The list of valid roles is defined for each target API resource separately. For namespaces, valid values are ‘viewer’, ’editor’, and ‘admin’. The format of this is essentially a RFC 1035 label with underscores instead of dashes, minimum three characters long.
ObjectRoleBindingStatus is RoleBindings’ status.
observability.spaces.upbound.io/v1alpha1
observability.spaces.upbound.io/v1alpha1
SharedTelemetryConfig defines a telemetry configuration over a set of ControlPlanes.
SharedTelemetryConfigSpec defines a telemetry configuration over a set of ControlPlanes.
ControlPlaneSelector defines the selector for ControlPlanes on which to configure telemetry.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
ExportPipeline defines the telemetry exporter pipeline to configure on the selected ControlPlanes.
Metrics defines the metrics exporter pipeline to configure on the selected ControlPlanes. The value has to be present in the spec.exporters field.
Traces defines the traces exporter pipeline to configure on the selected ControlPlanes. The value has to be present in the spec.exporters field.
Exporters defines the exporters to configure on the selected ControlPlanes. Untyped as we use the underlying OpenTelemetryOperator to configure the OpenTelemetry collector’s exporters. Use the OpenTelemetry Collector documentation to configure the exporters. Currently only supported exporters are push based exporters.
SharedTelemetryConfigStatus represents the observed state of a SharedTelemetryConfig.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
list of provisioning failures.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
ControlPlane name where the failure occurred.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
List of successfully provisioned targets.
SelectedControlPlanes represents the names of the selected ControlPlanes.
policy.spaces.upbound.io/v1alpha1
policy.spaces.upbound.io/v1alpha1
SharedUpboundPolicy specifies a shared Kyverno policy projected into the specified ControlPlanes of the same namespace as SharedUpboundPolicy.
SharedUpboundPolicySpec defines the desired state of SharedUpboundPolicy.
Default: true
Admission controls if rules are applied during admission. Optional. Default value is ’true'.
ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to One processing stops after a rule has been applied i.e. the rule matches and results in a pass, fail, or error. When set to All all rules in the policy are processed. The default is All.
Default: true
Background controls if rules are applied to existing resources during a background scan. Optional. Default value is ’true’. The value must be set to ‘false’ if the policy rule uses variables that are only available in the admission review request (e.g. user name).
The policy is projected only to control planes matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. This field should not be accessed directly, instead GetFailurePolicy() should be used. Allowed values are Ignore or Fail. Defaults to Fail.
GenerateExisting controls whether to trigger generate rule in existing resources If is set to ’true’ generate rule will be triggered and applied to existing matched resources. Defaults to ‘false’ if not specified.
Deprecated, use generateExisting instead
MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. Default value is ‘false’.
The metadata of the policy to be created.
Annotations that are set on projected resource.
Labels that are set on projected resource.
PolicyName is the name to use when creating policy within a control plane. optional, if not set, SharedUpboundPolicy name will be used. When set, it is immutable.
Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.
CELPreconditions are used to determine if a policy rule should be applied by evaluating a set of CEL conditions. It can only be used with the validate.cel subrule

Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:

‘object’ - The object from the incoming request. The value is null for DELETE requests. ‘oldObject’ - The existing object. The value is null for CREATE requests. ‘request’ - Attributes of the admission request(https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest). ‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz ‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/

Required.

Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, ‘-’, ‘’ or ‘.’, and must start and end with an alphanumeric character (e.g. ‘MyName’, or ‘my.name’, or ‘123-abc’, regex used for validation is ‘([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]’) with an optional DNS subdomain prefix and ‘/’ (e.g. ’example.com/MyName’)

Required.

Context defines variables and data sources that can be used during rule execution.
APICall is an HTTP request to the Kubernetes API server, or other JSON web service. The data returned is stored in the context with the name for the context entry.
Data specifies the POST data sent to the server.
Key is a unique identifier for the data value
Value is the data value
JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the server. For example a JMESPath of ‘items | length(@)’ applied to the API server response for the URLPath ‘/apis/apps/v1/deployments’ will return the total count of deployments across all namespaces.
Default: GET
Method is the HTTP request type (GET or POST).
Service is an API call to a JSON web service
CABundle is a PEM encoded CA bundle which will be used to validate the server certificate.
URL is the JSON web service URL. A typical form is https://{service}.{namespace}:{port}/{path}.
URLPath is the URL path to be used in the HTTP GET or POST request to the Kubernetes API server (e.g. ‘/api/v1/namespaces’ or ‘/apis/apps/v1/deployments’). The format required is the same format used by the kubectl get --raw command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details.
ConfigMap is the ConfigMap reference.
Name is the ConfigMap name.
Namespace is the ConfigMap namespace.
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details.
ImageRegistryCredentials provides credentials that will be used for authentication with registry
AllowInsecureRegistry allows insecure access to a registry.
Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github.
Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace.
JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference.
Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest
Name is the variable name.
Variable defines an arbitrary JMESPath context variable that can be defined inline.
Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
JMESPath is an optional JMESPath Expression that can be used to transform the variable.
Value is any arbitrary JSON object representable in YAML or JSON form.
ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role.
All allows specifying resources which will be ANDed
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Name of the object being referenced.
Namespace of the referenced object. If the object kind is non-namespace, such as ‘User’ or ‘Group’, and this value is not empty the Authorizer should report an error.
Any allows specifying resources which will be ORed
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Name of the object being referenced.
Namespace of the referenced object. If the object kind is non-namespace, such as ‘User’ or ‘Group’, and this value is not empty the Authorizer should report an error.
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under ‘any’ or ‘all’ instead.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Name of the object being referenced.
Namespace of the referenced object. If the object kind is non-namespace, such as ‘User’ or ‘Group’, and this value is not empty the Authorizer should report an error.
Generation is used to create new resources.
APIVersion specifies resource apiVersion.
Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only.
Name specifies name of the resource.
Namespace specifies source resource namespace.
CloneList specifies the list of source resource used to populate each generated resource.
Kinds is a list of resource kinds.
Namespace specifies source resource namespace.
Selector is a label selector. Label keys and values in matchLabels. wildcard characters are not supported.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.
Kind specifies resource kind.
Name specifies the resource name.
Namespace specifies resource namespace.
Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to ’true’ changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to ‘false’ if not specified.
UID specifies the resource uid.
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. This config is only valid for verifyImages rules.
MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required.
All allows specifying resources which will be ANDed
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Name of the object being referenced.
Namespace of the referenced object. If the object kind is non-namespace, such as ‘User’ or ‘Group’, and this value is not empty the Authorizer should report an error.
Any allows specifying resources which will be ORed
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Name of the object being referenced.
Namespace of the referenced object. If the object kind is non-namespace, such as ‘User’ or ‘Group’, and this value is not empty the Authorizer should report an error.
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under ‘any’ or ‘all’ instead.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Name of the object being referenced.
Namespace of the referenced object. If the object kind is non-namespace, such as ‘User’ or ‘Group’, and this value is not empty the Authorizer should report an error.
Mutation is used to modify matching resources.
ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
Context defines variables and data sources that can be used during rule execution.
APICall is an HTTP request to the Kubernetes API server, or other JSON web service. The data returned is stored in the context with the name for the context entry.
Data specifies the POST data sent to the server.
Key is a unique identifier for the data value
Value is the data value
JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the server. For example a JMESPath of ‘items | length(@)’ applied to the API server response for the URLPath ‘/apis/apps/v1/deployments’ will return the total count of deployments across all namespaces.
Default: GET
Method is the HTTP request type (GET or POST).
Service is an API call to a JSON web service
CABundle is a PEM encoded CA bundle which will be used to validate the server certificate.
URL is the JSON web service URL. A typical form is https://{service}.{namespace}:{port}/{path}.
URLPath is the URL path to be used in the HTTP GET or POST request to the Kubernetes API server (e.g. ‘/api/v1/namespaces’ or ‘/apis/apps/v1/deployments’). The format required is the same format used by the kubectl get --raw command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details.
ConfigMap is the ConfigMap reference.
Name is the ConfigMap name.
Namespace is the ConfigMap namespace.
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details.
ImageRegistryCredentials provides credentials that will be used for authentication with registry
AllowInsecureRegistry allows insecure access to a registry.
Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github.
Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace.
JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference.
Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest
Name is the variable name.
Variable defines an arbitrary JMESPath context variable that can be defined inline.
Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
JMESPath is an optional JMESPath Expression that can be used to transform the variable.
Value is any arbitrary JSON object representable in YAML or JSON form.
Foreach declares a nested foreach iterator
List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied.
Order defines the iteration order on the list. Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested any or all statements. See: https://kyverno.io/docs/writing-policies/preconditions/
AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass
Key is the context entry (using JMESPath) for conditional rule evaluation.
Message is an optional display message
Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan
Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath.
AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass
Key is the context entry (using JMESPath) for conditional rule evaluation.
Message is an optional display message
Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan
Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath.
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
Targets defines the target resources to be mutated.
APIVersion specifies resource apiVersion.
Context defines variables and data sources that can be used during rule execution.
APICall is an HTTP request to the Kubernetes API server, or other JSON web service. The data returned is stored in the context with the name for the context entry.
Data specifies the POST data sent to the server.
Key is a unique identifier for the data value
Value is the data value
JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the server. For example a JMESPath of ‘items | length(@)’ applied to the API server response for the URLPath ‘/apis/apps/v1/deployments’ will return the total count of deployments across all namespaces.
Default: GET
Method is the HTTP request type (GET or POST).
Service is an API call to a JSON web service
CABundle is a PEM encoded CA bundle which will be used to validate the server certificate.
URL is the JSON web service URL. A typical form is https://{service}.{namespace}:{port}/{path}.
URLPath is the URL path to be used in the HTTP GET or POST request to the Kubernetes API server (e.g. ‘/api/v1/namespaces’ or ‘/apis/apps/v1/deployments’). The format required is the same format used by the kubectl get --raw command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details.
ConfigMap is the ConfigMap reference.
Name is the ConfigMap name.
Namespace is the ConfigMap namespace.
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details.
ImageRegistryCredentials provides credentials that will be used for authentication with registry
AllowInsecureRegistry allows insecure access to a registry.
Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github.
Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace.
JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference.
Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest
Name is the variable name.
Variable defines an arbitrary JMESPath context variable that can be defined inline.
Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
JMESPath is an optional JMESPath Expression that can be used to transform the variable.
Value is any arbitrary JSON object representable in YAML or JSON form.
Kind specifies resource kind.
Name specifies the resource name.
Namespace specifies resource namespace.
Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested any or all statements. A direct list of conditions (without any or all statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/
UID specifies the resource uid.
Name is a label to identify the rule, It must be unique within the policy.
Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested any or all statements. A direct list of conditions (without any or all statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/
Default: true
SkipBackgroundRequests bypasses admission requests that are sent by the background controller. The default value is set to ’true’, it must be set to ‘false’ to apply generate and mutateExisting rules to those requests.
Validation is used to validate matching resources.
AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed.
CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.

key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.

The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: ‘{ValidatingAdmissionPolicy name}/{key}’.

If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.

Required.

valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.

If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.

Required.

Expressions is a list of CELExpression types.

Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:

  • ‘object’ - The object from the incoming request. The value is null for DELETE requests.
  • ‘oldObject’ - The existing object. The value is null for CREATE requests.
  • ‘request’ - Attributes of the API request(ref).
  • ‘params’ - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
  • ’namespaceObject’ - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
  • ‘variables’ - Map of composited variables, from its name to its lazily evaluated value. For example, a variable named ‘foo’ can be accessed as ‘variables.foo’.
  • ‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
  • ‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the request resource.

The apiVersion, kind, metadata.name and metadata.generateName are always accessible from the root of the object. No other metadata properties are accessible.

Only property names of the form [a-zA-Z_.-/][a-zA-Z0-9_.-/]* are accessible. Accessible property names are escaped according to the following rules when accessed in the expression:

  • ‘__’ escapes to ‘underscores
  • ‘.’ escapes to ‘dot
  • ‘-’ escapes to ‘dash
  • ‘/’ escapes to ‘slash
  • Property names that exactly match a CEL RESERVED keyword escape to ‘{keyword}’. The keywords are: ’true’, ‘false’, ’null’, ‘in’, ‘as’, ‘break’, ‘const’, ‘continue’, ’else’, ‘for’, ‘function’, ‘if’, ‘import’, ’let’, ’loop’, ‘package’, ’namespace’, ‘return’. Examples:
    • Expression accessing a property named ’namespace’: {‘Expression’: ‘object.namespace > 0’}
    • Expression accessing a property named ‘x-prop’: {‘Expression’: ‘object.x__dash__prop > 0’}
    • Expression accessing a property named ‘redact__d’: {‘Expression’: ‘object.redact__underscores__d > 0’}

Equality on arrays with list type of ‘set’ or ‘map’ ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:

  • ‘set’: X + Y performs a union where the array positions of all elements in X are preserved and non-intersecting elements in Y are appended, retaining their partial order.
  • ‘map’: X + Y performs a merge where the array positions of all keys in X are preserved but the values are overwritten by values in Y when the key sets of X and Y intersect. Elements in Y with non-intersecting keys are appended, retaining their partial order. Required.
Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is ‘failed rule: {Rule}’. e.g. ‘must be a URL with the host matching spec.host’ If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is ‘failed Expression: {Expression}’.
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the expression except for ‘authorizer’ and ‘authorizer.requestResource’. Example: ‘object.x must be less than max (’+string(params.max)+’)’
Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: ‘Unauthorized’, ‘Forbidden’, ‘Invalid’, ‘RequestEntityTooLarge’. If not set, StatusReasonInvalid is used in the response to the client.
ParamKind is a tuple of Group Kind and Version.
APIVersion is the API group version the resources belong to. In format of ‘group/version’. Required.
Kind is the API kind the resources belong to. Required.
ParamRef references a parameter resource.

name is the name of the resource being referenced.

name and selector are mutually exclusive properties. If one is set, the other must be unset.

namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both name and selector fields.

A per-namespace parameter may be used by specifying a namespace-scoped paramKind in the policy and leaving this field empty.

  • If paramKind is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.

  • If paramKind is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.

parameterNotFoundAction controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to Allow, then no matched parameters will be treated as successful validation by the binding. If set to Deny, then no matched parameters will be subject to the failurePolicy of the policy.

Allowed values are Allow or Deny Default to Deny

selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.

If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.

One of name or selector must be set, but name and selector are mutually exclusive properties. If one is set, the other must be unset.

matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy.
Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.
Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through variables For example, if name is ‘foo’, the variable will be available as variables.foo
Deny defines conditions used to pass or fail a validation rule.
Multiple conditions can be declared under an any or all statement. A direct list of conditions (without any or all statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed.
Context defines variables and data sources that can be used during rule execution.
APICall is an HTTP request to the Kubernetes API server, or other JSON web service. The data returned is stored in the context with the name for the context entry.
Data specifies the POST data sent to the server.
Key is a unique identifier for the data value
Value is the data value
JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the server. For example a JMESPath of ‘items | length(@)’ applied to the API server response for the URLPath ‘/apis/apps/v1/deployments’ will return the total count of deployments across all namespaces.
Default: GET
Method is the HTTP request type (GET or POST).
Service is an API call to a JSON web service
CABundle is a PEM encoded CA bundle which will be used to validate the server certificate.
URL is the JSON web service URL. A typical form is https://{service}.{namespace}:{port}/{path}.
URLPath is the URL path to be used in the HTTP GET or POST request to the Kubernetes API server (e.g. ‘/api/v1/namespaces’ or ‘/apis/apps/v1/deployments’). The format required is the same format used by the kubectl get --raw command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details.
ConfigMap is the ConfigMap reference.
Name is the ConfigMap name.
Namespace is the ConfigMap namespace.
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details.
ImageRegistryCredentials provides credentials that will be used for authentication with registry
AllowInsecureRegistry allows insecure access to a registry.
Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github.
Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace.
JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference.
Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest
Name is the variable name.
Variable defines an arbitrary JMESPath context variable that can be defined inline.
Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
JMESPath is an optional JMESPath Expression that can be used to transform the variable.
Value is any arbitrary JSON object representable in YAML or JSON form.
Deny defines conditions used to pass or fail a validation rule.
Multiple conditions can be declared under an any or all statement. A direct list of conditions (without any or all statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
ElementScope specifies whether to use the current list element as the scope for validation. Defaults to ’true’ if not specified. When set to ‘false’, ‘request.object’ is used as the validation scope within the foreach block to allow referencing other elements in the subtree.
Foreach declares a nested foreach iterator
List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied.
Pattern specifies an overlay-style pattern used to check resources.
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested any or all statements. See: https://kyverno.io/docs/writing-policies/preconditions/
AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass
Key is the context entry (using JMESPath) for conditional rule evaluation.
Message is an optional display message
Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan
Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath.
AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass
Key is the context entry (using JMESPath) for conditional rule evaluation.
Message is an optional display message
Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan
Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath.
Manifest specifies conditions for manifest verification
AnnotationDomain is custom domain of annotation for message and signature. Default is ‘cosign.sigstore.dev’.
Attestors specified the required attestors (i.e. authorities)
Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
Attestor is a nested set of Attestor used to specify a more complex set of match authorities.
Certificates specifies one or more certificates.
Cert is an optional PEM-encoded public certificate.
CertChain is an optional PEM encoded set of certificates used to verify.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.
PubKey, if set, is used to validate SCTs against a custom source.
Rekor provides configuration for the Rekor transparency log service. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
IgnoreTlog skips transparency log verification.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
AdditionalExtensions are certificate-extensions used for keyless signing.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.
PubKey, if set, is used to validate SCTs against a custom source.
Issuer is the certificate issuer used for keyless signing.
Rekor provides configuration for the Rekor transparency log service. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
IgnoreTlog skips transparency log verification.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
Subject is the verified identity used for keyless signing, for example the email address.
Keys specifies one or more public keys.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.
PubKey, if set, is used to validate SCTs against a custom source.
KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret elsewhere in the cluster by specifying it in the format ‘k8s:///<secret_name>’. The named Secret must specify a key cosign.pub containing the public key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
Rekor provides configuration for the Rekor transparency log service. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
IgnoreTlog skips transparency log verification.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Reference to a Secret resource that contains a public key
Name of the secret. The provided secret must contain a key named cosign.pub.
Namespace name where the Secret exists.
Default: sha256
Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
DryRun configuration
Fields which will be ignored while comparing manifests.
Repository is an optional alternate OCI repository to use for resource bundle reference. The repository can be overridden per Attestor or Attestation.
Message specifies a custom message to be displayed on failure.
Pattern specifies an overlay-style pattern used to check resources.
PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls.
Exclude specifies the Pod Security Standard controls to be excluded.
ControlName specifies the name of the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Images selects matching containers and applies the container level PSS. Each image is the image name consisting of the registry address, repository, image, and tag. Empty list matches no containers, PSS checks are applied at the pod level only. Wildcards (’*’ and ‘?’) are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
Level defines the Pod Security Standard level to be applied to workloads. Allowed values are privileged, baseline, and restricted.
Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest.
VerifyImages is used to verify image signatures and mutate them to add a digest
Deprecated.
Deprecated. Use annotations per Attestor instead.
Attestations are optional checks for signed in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statement declarations.
Attestors specify the required attestors (i.e. authorities).
Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
Attestor is a nested set of Attestor used to specify a more complex set of match authorities.
Certificates specifies one or more certificates.
Cert is an optional PEM-encoded public certificate.
CertChain is an optional PEM encoded set of certificates used to verify.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.
PubKey, if set, is used to validate SCTs against a custom source.
Rekor provides configuration for the Rekor transparency log service. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
IgnoreTlog skips transparency log verification.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
AdditionalExtensions are certificate-extensions used for keyless signing.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.
PubKey, if set, is used to validate SCTs against a custom source.
Issuer is the certificate issuer used for keyless signing.
Rekor provides configuration for the Rekor transparency log service. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
IgnoreTlog skips transparency log verification.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
Subject is the verified identity used for keyless signing, for example the email address.
Keys specifies one or more public keys.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.
PubKey, if set, is used to validate SCTs against a custom source.
KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret elsewhere in the cluster by specifying it in the format ‘k8s:///<secret_name>’. The named Secret must specify a key cosign.pub containing the public key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
Rekor provides configuration for the Rekor transparency log service. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
IgnoreTlog skips transparency log verification.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Reference to a Secret resource that contains a public key
Name of the secret. The provided secret must contain a key named cosign.pub.
Namespace name where the Secret exists.
Default: sha256
Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass
Key is the context entry (using JMESPath) for conditional rule evaluation.
Message is an optional display message
Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan
Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath.
AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass
Key is the context entry (using JMESPath) for conditional rule evaluation.
Message is an optional display message
Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan
Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath.
Deprecated in favour of ‘Type’, to be removed soon
Type defines the type of attestation contained within the Statement.
Attestors specified the required attestors (i.e. authorities)
Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
Attestor is a nested set of Attestor used to specify a more complex set of match authorities.
Certificates specifies one or more certificates.
Cert is an optional PEM-encoded public certificate.
CertChain is an optional PEM encoded set of certificates used to verify.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.
PubKey, if set, is used to validate SCTs against a custom source.
Rekor provides configuration for the Rekor transparency log service. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
IgnoreTlog skips transparency log verification.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
AdditionalExtensions are certificate-extensions used for keyless signing.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.
PubKey, if set, is used to validate SCTs against a custom source.
Issuer is the certificate issuer used for keyless signing.
Rekor provides configuration for the Rekor transparency log service. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
IgnoreTlog skips transparency log verification.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
Subject is the verified identity used for keyless signing, for example the email address.
Keys specifies one or more public keys.
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.
PubKey, if set, is used to validate SCTs against a custom source.
KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret elsewhere in the cluster by specifying it in the format ‘k8s:///<secret_name>’. The named Secret must specify a key cosign.pub containing the public key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
Rekor provides configuration for the Rekor transparency log service. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
IgnoreTlog skips transparency log verification.
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.
URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
Reference to a Secret resource that contains a public key
Name of the secret. The provided secret must contain a key named cosign.pub.
Namespace name where the Secret exists.
Default: sha256
Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
Deprecated. Use ImageReferences instead.
ImageReferences is a list of matching image reference patterns. At least one pattern in the list must match the image for the rule to apply. Each image reference consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). Wildcards (’*’ and ‘?’) are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
ImageRegistryCredentials provides credentials that will be used for authentication with registry.
AllowInsecureRegistry allows insecure access to a registry.
Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github.
Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace.
Deprecated. Use KeylessAttestor instead.
Deprecated. Use StaticKeyAttestor instead.
Default: true
MutateDigest enables replacement of image tags with digests. Defaults to true.
Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. If specified Repository will override the default OCI image repository configured for the installation. The repository can also be overridden per Attestor or Attestation.
Default: true
Deprecated. Use KeylessAttestor instead.
Deprecated. Use KeylessAttestor instead.
Type specifies the method of signature validation. The allowed options are Cosign and Notary. By default Cosign is used if a type is not specified.
Default: true
UseCache enables caching of image verify responses for this rule.
Default: true
VerifyDigest validates that images have a digest.
SchemaValidation skips validation checks for policies as well as patched resources. Optional. The default value is set to ’true’, it must be set to ‘false’ to disable the validation checks.
UseServerSideApply controls whether to use server-side apply for generate rules If is set to ’true’ create & update for generate rules will use apply instead of create/update. Defaults to ‘false’ if not specified.
Default: Audit
ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is ‘Audit’.
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
ValidationFailureAction defines the policy validation failure action
A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
SharedUpboundPolicyStatus defines the observed state of the projected polcies.
list of provisioning failures.
List of conditions.
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
message is a human readable message indicating details about the transition. This may be an empty string.
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
status of the condition, one of True, False, Unknown.
type of condition in CamelCase or in foo.example.com/CamelCase.
ControlPlane name where the failure occurred.
observed resource generation.
List of successfully provisioned targets.
ControlPlane name where the external secret got successfully projected.
spaces.upbound.io/v1alpha1
spaces.upbound.io/v1alpha1
Backup represents a single backup of a ControlPlane.
BackupSpec defines a backup over a set of ControlPlanes.
ConfigRef is a reference to the backup configuration. ApiGroup is optional and defaults to ‘spaces.upbound.io’. Kind is required, and the only supported value is ‘SharedBackupConfig’ at the moment. Name is required.
APIGroup is the group for the resource being referenced.
Kind is the type of resource being referenced.
Name is the name of resource being referenced.
ControlPlane is the name of the ControlPlane to backup. Requires ‘backup’ permission on the referenced ControlPlane.
Default: Orphan
DeletionPolicy is the policy for the backup.
ExcludedResources is a slice of resource names that are not included in the backup. Used to filter the included extra resources.
TTL is the time to live for the backup. After this time, the backup will be eligible for garbage collection. If not set, the backup will not be garbage collected.
BackupStatus represents the observed state of a Backup.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
Default: Pending
Phase is the current phase of the backup.
Retries is the number of times the backup has been retried.
spaces.upbound.io/v1alpha1
spaces.upbound.io/v1alpha1
BackupSchedule represents a single ControlPlane schedule for Backups.
BackupScheduleSpec defines a backup schedule over a set of ControlPlanes.
ConfigRef is a reference to the backup configuration. ApiGroup is optional and defaults to ‘spaces.upbound.io’. Kind is required, and the only supported value is ‘SharedBackupConfig’ at the moment. Name is required.
APIGroup is the group for the resource being referenced.
Kind is the type of resource being referenced.
Name is the name of resource being referenced.
ControlPlane is the name of the ControlPlane to which the schedule applies. Requires ‘get’ permission on the referenced ControlPlane.
Default: Orphan
DeletionPolicy is the policy for the backup.
ExcludedResources is a slice of resource names that are not included in the backup. Used to filter the included extra resources.
Schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
Suspend specifies whether the schedule is suspended. If true, no Backups will be created, but running backups will be allowed to complete.
TTL is the time to live for the backup. After this time, the backup will be eligible for garbage collection. If not set, the backup will not be garbage collected.
UseOwnerReferencesBackup specifies whether an ownership chain should be established between this resource and the Backup it creates. If set to true, the Backup will be garbage collected when this resource is deleted.
BackupScheduleStatus represents the observed state of a BackupSchedule.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
LastBackup is the last time a Backup was run for this Schedule schedule
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
spaces.upbound.io/v1beta1
spaces.upbound.io/v1beta1
ControlPlane defines a managed Crossplane instance.
A ControlPlaneSpec represents the desired state of the ControlPlane.
Crossplane defines the configuration for Crossplane.
Default: map[channel:Stable]
AutoUpgrades defines the auto upgrade configuration for Crossplane.
Default: Stable

Channel defines the upgrade channels for Crossplane. We support the following channels where ‘Stable’ is the default:

  • None: disables auto-upgrades and keeps the control plane at its current version of Crossplane.
  • Patch: automatically upgrades the control plane to the latest supported patch version when it becomes available while keeping the minor version the same.
  • Stable: automatically upgrades the control plane to the latest supported patch release on minor version N-1, where N is the latest supported minor version.
  • Rapid: automatically upgrades the cluster to the latest supported patch release on the latest supported minor version.
Default: Running

State defines the state for crossplane and provider workloads. We support the following states where ‘Running’ is the default:

  • Running: Starts/Scales up all crossplane and provider workloads in the ControlPlane
  • Paused: Pauses/Scales down all crossplane and provider workloads in the ControlPlane
Version is the version of Universal Crossplane to install.
[[GATE:EnableSharedBackup]] THIS IS AN ALPHA FIELD. Do not use it in production. Restore specifies details about the control planes restore configuration.
FinishedAt is the time at which the control plane was restored, it’s not meant to be set by the user, but rather by the system when the control plane is restored.
Source of the Backup or BackupSchedule to restore from. Require ‘restore’ permission on the referenced Backup or BackupSchedule. ApiGroup is optional and defaults to ‘spaces.upbound.io’. Kind is required, and the only supported kinds are Backup and BackupSchedule at the moment. Name is required.
APIGroup is the group for the resource being referenced.
Kind is the type of resource being referenced.
Name is the name of resource being referenced.

WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.

If omitted, it is defaulted to the namespace of the ControlPlane. Deprecated: Use Hub or Upbound identities instead.

Name of the secret.
Namespace of the secret. If omitted, it is equal to the namespace of the resource containing this reference as a field.
A ControlPlaneStatus represents the observed state of a ControlPlane.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
Message is a human-readable message indicating details about why the ControlPlane is in this condition.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
spaces.upbound.io/v1alpha1
spaces.upbound.io/v1alpha1
InControlPlaneOverride represents resource configuration overrides in a ControlPlane. The specified override can be applied on single objects as well as claim/XR object hierarchies.
InControlPlaneOverrideSpec defines a configuration override on a target object hierarchy in a target ControlPlane with the given name.
ControlPlaneName is the name of the target ControlPlane where the resource configuration overrides will be applied.
Default: RollBack
DeletionPolicy specifies whether when the InControlPlaneOverride object is deleted, the configuration override should be kept (Keep) or rolled back (RollBack).
Override denotes the configuration override to be applied on the target object hierarchy. The fully specified intent is obtained by serializing the Override.
Metadata specifies the patch metadata.

Annotations represents the Kube object annotations. Only the following annotations are allowed to be patched:

  • crossplane.io/paused
  • spaces.upbound.io/force-reconcile-at
Default: None
PropagationPolicy specifies whether the configuration override will be applied only to the object referenced in TargetRef (None), after an ascending or descending hierarchy traversal will be done starting with the target object.
TargetRef is the object reference to a Kubernetes API object where the configuration override will start. The controller will traverse the target object’s hierarchy depending on the PropagationPolicy. If PropagationPolicy is None, then only the target object will be updated.
APIVersion of the referenced object.
Kind of the referenced object.
Name of the referenced object.
Namespace of the referenced object.
InControlPlaneOverrideStatus defines the status of an InControlPlaneOverride object.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
APIVersion of the referenced object.
Kind of the referenced object.
Message holds an optional detail message detailing the observed state.
Name of the referenced object.
Namespace of the referenced object.
Reason is the reason for the target objects override Status.
Status of the configuration override.
Metadata UID of the patch target object.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
spaces.upbound.io/v1alpha1
spaces.upbound.io/v1alpha1
SharedBackupConfig defines the configuration to backup and restore ControlPlanes.
A SharedBackupConfigSpec represents the configuration to backup or restore ControlPlanes.
ObjectStorage specifies the object storage configuration for the given provider.
Bucket is the name of the bucket to store backups in.
Config is a free-form map of configuration options for the object storage provider. See https://github.com/thanos-io/objstore?tab=readme-ov-file for more information on the formats for each supported cloud provider. Bucket and Provider will override the required values in the config.
Credentials specifies the credentials to access the object storage.
A SecretRef is a reference to a secret key that contains the credentials that must be used to connect to the provider.
Default: credentials
The key to select.
Name of the secret.
Source of the credentials. Source ‘Secret’ requires ‘get’ permissions on the referenced Secret.
Prefix is the prefix to use for all backups using this SharedBackupConfig, e.g. ‘prod/cluster1’, resulting in backups for controlplane ‘ctp1’ in namespace ’ns1’ being stored in ‘prod/cluster1/ns1/ctp1’.
Provider is the name of the object storage provider.
spaces.upbound.io/v1alpha1
spaces.upbound.io/v1alpha1
SharedBackup defines a backup over a set of ControlPlanes.
SharedBackupSpec defines a backup over a set of ControlPlanes.
ConfigRef is a reference to the backup configuration. ApiGroup is optional and defaults to ‘spaces.upbound.io’. Kind is required, and the only supported value is ‘SharedBackupConfig’ at the moment. Name is required.
APIGroup is the group for the resource being referenced.
Kind is the type of resource being referenced.
Name is the name of resource being referenced.
ControlPlaneSelector defines the selector for ControlPlanes to backup. Requires ‘backup’ permission on all ControlPlanes in the same namespace.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Default: Orphan
DeletionPolicy is the policy for the backup.
ExcludedResources is a slice of resource names that are not included in the backup. Used to filter the included extra resources.
TTL is the time to live for the backup. After this time, the backup will be eligible for garbage collection. If not set, the backup will not be garbage collected.
UseOwnerReferencesBackup specifies whether an ownership chain should be established between this resource and the Backup it creates. If set to true, the Backup will be garbage collected when this resource is deleted.
SharedBackupStatus represents the observed state of a SharedBackup.
Completed is the list of ControlPlanes for which the backup completed successfully.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
Failed is the list of ControlPlanes for which the backup failed.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
Default: Pending
Phase represents the current phase of the SharedBackup.
SelectedControlPlanes represents the names of the selected ControlPlanes.
spaces.upbound.io/v1alpha1
spaces.upbound.io/v1alpha1
SharedBackupSchedule defines a schedule for SharedBackup on a set of ControlPlanes.
SharedBackupScheduleSpec defines the desired state of a SharedBackupSchedule.
ConfigRef is a reference to the backup configuration. ApiGroup is optional and defaults to ‘spaces.upbound.io’. Kind is required, and the only supported value is ‘SharedBackupConfig’ at the moment. Name is required.
APIGroup is the group for the resource being referenced.
Kind is the type of resource being referenced.
Name is the name of resource being referenced.
ControlPlaneSelector defines the selector for ControlPlanes to backup. Requires ‘backup’ permission on all ControlPlanes in the same namespace.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Default: Orphan
DeletionPolicy is the policy for the backup.
ExcludedResources is a slice of resource names that are not included in the backup. Used to filter the included extra resources.
Schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
Suspend specifies whether the schedule is suspended. If true, no Backups will be created, but running backups will be allowed to complete.
TTL is the time to live for the backup. After this time, the backup will be eligible for garbage collection. If not set, the backup will not be garbage collected.
UseOwnerReferencesBackup specifies whether an ownership chain should be established between this resource and the Backup it creates. If set to true, the Backup will be garbage collected when this resource is deleted.
SharedBackupScheduleStatus represents the observed state of a SharedBackupSchedule.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
SelectedControlPlanes is the list of ControlPlanes that are selected for backup.
spaces.upbound.io/v1alpha1
spaces.upbound.io/v1alpha1
SharedExternalSecret specifies a shared ExternalSecret projected into the specified ControlPlanes of the same namespace as ClusterExternalSecret and with that propagated into the specified namespaces.
SharedExternalSecretSpec defines the desired state of SharedExternalSecret.
The secret is projected only to control planes matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
The metadata of the secret store to be created.
Annotations that are set on projected resource.
Labels that are set on projected resource.
ExternalSecretName is the name to use when creating external secret within a control plane. optional, if not set, SharedExternalSecret name will be used. When set, it is immutable.
The spec for the ExternalSecrets to be created.
Data defines the connection between the Kubernetes Secret keys and the Provider data
RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
Default: Default
Used to define a conversion Strategy
Default: None
Used to define a decoding Strategy
Key is the key used in the Provider, mandatory
Default: None
Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
Used to select a specific property of the Provider value (if a map), if supported
Used to select a specific version of the Provider value, if supported
SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
SourceRef allows you to override the source from which the value will pulled from.

GeneratorRef points to a generator custom resource.

Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1.

Default: generators.external-secrets.io/v1alpha1
Specify the apiVersion of the generator resource
Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
Specify the name of the generator resource
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to SecretStore
Name of the SecretStore resource
DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
Default: Default
Used to define a conversion Strategy
Default: None
Used to define a decoding Strategy
Key is the key used in the Provider, mandatory
Default: None
Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
Used to select a specific property of the Provider value (if a map), if supported
Used to select a specific version of the Provider value, if supported
Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
Default: Default
Used to define a conversion Strategy
Default: None
Used to define a decoding Strategy
Finds secrets based on the name.
Finds secrets base
A root path to start the find operations.
Find secrets based on tags.
Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
Used to define the regular expression of a re.Compiler.
Used to define the target pattern of a ReplaceAll operation.
Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation.
Used to define the template to apply on the secret name. .value will specify the secret name in the template.
SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
GeneratorRef points to a generator custom resource.
Default: generators.external-secrets.io/v1alpha1
Specify the apiVersion of the generator resource
Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
Specify the name of the generator resource
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to SecretStore
Name of the SecretStore resource
Default: 1h
RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are ’ns’, ‘us’ (or ‘µs’), ‘ms’, ’s’, ’m’, ‘h’ May be set to zero to fetch and create it once. Defaults to 1h.
SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to SecretStore
Name of the SecretStore resource
Default: map[creationPolicy:Owner deletionPolicy:Retain]
ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
Default: Owner
CreationPolicy defines rules on how to create the resulting Secret Defaults to ‘Owner’
Default: Retain
DeletionPolicy defines rules on how to delete the resulting Secret Defaults to ‘Retain’
Immutable defines if the final secret will be immutable
Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
Template defines a blueprint for the created Secret resource.
Default: v2
EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
Default: Replace
ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
Default: Values
Default: Values
Default: Data
The projected secret can be consumed only within namespaces matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Used to configure secret refresh interval in seconds.
SharedExternalSecretStatus defines the observed state of the ExternalSecret.
list of provisioning failures.
List of conditions.
ControlPlane name where the failure occurred.
observed resource generation.
List of successfully provisioned targets.
ControlPlane name where the external secret got successfully projected.
spaces.upbound.io/v1alpha1
spaces.upbound.io/v1alpha1
SharedSecretStore represents a shared SecretStore projected as ClusterSecretStore into matching ControlPlanes in the same namespace. Once projected into a ControlPlane, it can be referenced from ExternalSecret instances, as part of storeRef fields. The secret store configuration including referenced credential are not leaked into the ControlPlanes and in that sense can be called secure as they are invisible to the ControlPlane workloads.
SharedSecretStoreSpec defines the desired state of SecretStore.
The store is projected only to control planes matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
The projected secret store can be consumed only within namespaces matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Used to configure the provider. Only one provider may be set.
Akeyless configures this store to sync secrets using Akeyless Vault provider
Akeyless GW API Url from which the secrets to be fetched from.
Auth configures how the operator authenticates with Akeyless.
Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
the Akeyless Kubernetes auth-method access-id
Kubernetes-auth configuration name in Akeyless-Gateway
Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, token is the default. If one is not specified, the one bound to the controller will be used.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
Audience specifies the aud claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
The name of the ServiceAccount resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Reference to a Secret that contains the details to authenticate with Akeyless.
The SecretAccessID is used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
The provider for the CA bundle to use to validate Akeyless Gateway certificate.
The key where the CA certificate can be found in the Secret or ConfigMap.
The name of the object located at the provider type.
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
The type of provider to use such as ‘Secret’, or ‘ConfigMap’.
Alibaba configures this store to sync secrets using Alibaba Cloud provider
AlibabaAuth contains a secretRef for credentials.
Authenticate against Alibaba using RRSA.
AlibabaAuthSecretRef holds secret references for Alibaba credentials.
The AccessKeyID is used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
The AccessKeySecret is used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Alibaba Region to be used for the provider
AWS configures this store to sync secrets using AWS Secret Manager provider
AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
Authenticate against AWS using service account tokens.
A reference to a ServiceAccount resource.
Audience specifies the aud claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
The name of the ServiceAccount resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
The AccessKeyID is used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
The SecretAccessKey is used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
AWS External ID set on assumed IAM roles
AWS Region to be used for the provider
Role is a Role ARN which the provider will assume
SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
Specifies whether to delete the secret without any recovery window. You can’t use both this parameter and RecoveryWindowInDays in the same call. If you don’t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can’t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don’t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
Service defines which service should be used to fetch the secrets
AWS STS assume role session tags
AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
AzureKV configures this store to sync secrets using Azure Key Vault provider
Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
The Azure clientId of the service principle used for authentication.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
The Azure ClientSecret of the service principle used for authentication.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Default: ServicePrincipal

Auth type defines how to authenticate to the keyvault service. Valid values are:

  • ‘ServicePrincipal’ (default): Using a service principal (tenantId, clientId, clientSecret)
  • ‘ManagedIdentity’: Using Managed Identity assigned to the pod (see aad-pod-identity)
Default: PublicCloud
EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
If multiple Managed Identity is assigned to the pod, you can select the one to be used
ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
Audience specifies the aud claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
The name of the ServiceAccount resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
Vault Url from which the secrets to be fetched from.
Conjur configures this store to sync secrets using conjur provider
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the TokenRequest API.
Audience specifies the aud claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
The name of the ServiceAccount resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
The conjur authn jwt webservice id
Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
The key where the CA certificate can be found in the Secret or ConfigMap.
The name of the object located at the provider type.
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
The type of provider to use such as ‘Secret’, or ‘ConfigMap’.
ClientID is the non-secret part of the credential.
SecretRef references a key in a secret that will be used as value.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Value can be specified directly to set a value without using a secret.
ClientSecret is the secret part of the credential.
SecretRef references a key in a secret that will be used as value.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Value can be specified directly to set a value without using a secret.
Tenant is the chosen hostname / site name.
TLD is based on the server location that was chosen during provisioning. If unset, defaults to ‘com’.
URLTemplate If unset, defaults to ‘https://%s.secretsvaultcloud.%s/v1/%s%s’.
Doppler configures this store to sync secrets using the Doppler provider
Auth configures how the Operator authenticates with the Doppler API
The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Doppler config (required if not using a Service Token)
Format enables the downloading of secrets as a file (string)
Environment variable compatible name transforms that change secret names to a different format
Doppler project (required if not using a Service Token)
Fake configures a store with static key/value pairs
Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the value field instead.
GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
Auth defines the information necessary to authenticate against GCP
The SecretAccessKey is used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
A reference to a ServiceAccount resource.
Audience specifies the aud claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
The name of the ServiceAccount resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
ProjectID project where secret is located
GitLab configures this store to sync secrets using GitLab Variables provider
Auth configures how secret-manager authenticates with a GitLab instance.
AccessToken is used for authentication.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
ProjectID specifies a project where secrets are located.
URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
IBM configures this store to sync secrets using IBM Cloud provider
Auth configures how secret-manager authenticates with the IBM secrets manager.
IBM Container-based auth with IAM Trusted Profile.
the IBM Trusted Profile
Location the token is mounted on the pod
The SecretAccessKey is used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
Auth configures how secret-manager authenticates with a Kubernetes instance.
has both clientCert and clientKey as secretKeySelector
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
points to a service account that should be used for authentication
Audience specifies the aud claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
The name of the ServiceAccount resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
use static token to authenticate with
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Default: default
Remote namespace to fetch the secrets from
configures the Kubernetes server Address.
CABundle is a base64-encoded CA certificate
The key where the CA certificate can be found in the Secret or ConfigMap.
The name of the object located at the provider type.
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
The type of provider to use such as ‘Secret’, or ‘ConfigMap’.
Default: kubernetes.default
configures the Kubernetes server Address.
OnePassword configures this store to sync secrets using the 1Password Cloud provider
Auth defines the information necessary to authenticate against OnePassword Connect Server
OnePasswordAuthSecretRef holds secret references for 1Password credentials.
The ConnectToken is used for authentication to a 1Password Connect Server.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
ConnectHost defines the OnePassword Connect Server to connect to
Vaults defines which OnePassword vaults to search in which order
Oracle configures this store to sync secrets using Oracle Vault provider
Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
SecretRef to pass through sensitive information.
Fingerprint is the fingerprint of the API private key.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
PrivateKey is the user’s API Signing Key in PEM format, used for authentication.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Tenancy is the tenancy OCID where user is located.
User is an access OCID specific to the account.
Compartment is the vault compartment OCID. Required for PushSecret
EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret
The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity.
Region is the region where vault is located.
ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
Audience specifies the aud claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
The name of the ServiceAccount resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Vault is the vault’s OCID of the specific vault where secret is located.
Scaleway
AccessKey is the non-secret part of the api key.
SecretRef references a key in a secret that will be used as value.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Value can be specified directly to set a value without using a secret.
APIURL is the url of the api to use. Defaults to https://api.scaleway.com
ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings
SecretKey is the non-secret part of the api key.
SecretRef references a key in a secret that will be used as value.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Value can be specified directly to set a value without using a secret.
Senhasegura configures this store to sync secrets using senhasegura provider
Auth defines parameters to authenticate in senhasegura
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Default: false
IgnoreSslCertificate defines if SSL certificate must be ignored
Module defines which senhasegura module should be used to get secrets
URL of senhasegura
UpboundProvider configures a store to sync secrets with Upbound Spaces.
StoreRef holds ref to Upbound Spaces secret store
Name of the secret store on Upbound Spaces
Vault configures this store to sync secrets using Hashi provider
Auth configures how secret-manager authenticates with the Vault server.
AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
Default: approle
Path where the App Role authentication backend is mounted in Vault, e.g: ‘approle’
RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The key field must be specified and denotes which entry within the Secret resource is used as the app role id.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The key field must be specified and denotes which entry within the Secret resource is used as the app role secret.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
ClientCert is a certificate to authenticate using the Cert Vault authentication method
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
AWS External ID set on assumed IAM roles
Specify a service account with IRSA enabled
A reference to a ServiceAccount resource.
Audience specifies the aud claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
The name of the ServiceAccount resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Path where the AWS auth method is enabled in Vault, e.g: ‘aws’
AWS region
This is the AWS role to be assumed before talking to vault
Specify credentials in a Secret object
The AccessKeyID is used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
The SecretAccessKey is used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the TokenRequest API.
Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by serviceAccountRef. Defaults to a single audience vault it not specified. Deprecated: use serviceAccountRef.Audiences instead
Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by serviceAccountRef. Deprecated: this will be removed in the future. Defaults to 10 minutes.
Service account field containing the name of a kubernetes ServiceAccount.
Audience specifies the aud claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
The name of the ServiceAccount resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Default: jwt
Path where the JWT authentication backend is mounted in Vault, e.g: ‘jwt’
Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
Default: kubernetes
Path where the Kubernetes authentication backend is mounted in Vault, e.g: ‘kubernetes’
A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, token is the default. If one is not specified, the one bound to the controller will be used.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
Audience specifies the aud claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
The name of the ServiceAccount resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
Default: ldap
Path where the LDAP authentication backend is mounted in Vault, e.g: ’ldap'
SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
TokenSecretRef authenticates with Vault by presenting a token.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
UserPass authenticates with Vault by passing username/password pair
Default: user
Path where the UserPassword authentication backend is mounted in Vault, e.g: ‘user’
SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Username is a user name used to authenticate using the UserPass Vault authentication method
PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
The provider for the CA bundle to use to validate Vault server certificate.
The key where the CA certificate can be found in the Secret or ConfigMap.
The name of the object located at the provider type.
The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
The type of provider to use such as ‘Secret’, or ‘ConfigMap’.
ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: ’ns1’. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
Path is the mount path of the Vault KV backend endpoint, e.g: ‘secret’. The v2 KV secret engine version specific ‘/data’ path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.
ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
Server is the connection address for the Vault server, e.g: ‘https://vault.example.com:8200’.
Default: v2
Version is the Vault KV secret engine version. This can be either ‘v1’ or ‘v2’. Version defaults to ‘v2’.
Webhook configures this store to sync secrets using a generic templated webhook
Body
PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
The provider for the CA bundle to use to validate webhook server certificate.
The key the value inside of the provider type to use, only used with ‘Secret’ type
The name of the object located at the provider type.
The namespace the Provider type is in.
The type of provider to use such as ‘Secret’, or ‘ConfigMap’.
Headers
Webhook Method
Result formatting
Json path of return value
Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
Name of this secret in templates
Secret ref to fill in credentials
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Timeout
Webhook url to call
YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
Yandex.Cloud API endpoint (e.g. ‘api.cloud.yandex.net:443’)
Auth defines the information necessary to authenticate against Yandex Certificate Manager
The authorized key used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
Yandex.Cloud API endpoint (e.g. ‘api.cloud.yandex.net:443’)
Auth defines the information necessary to authenticate against Yandex Lockbox
The authorized key used for authentication
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
A reference to a specific ‘key’ within a Secret resource, In some instances, key is a required field.
The key of the entry in the Secret resource’s data field to be used. Some instances of this field may be defaulted, in others it may be required.
The name of the Secret resource being referred to.
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
Used to configure store refresh interval in seconds.
Used to configure http retries if failed.
The metadata of the secret store to be created.
Annotations that are set on projected resource.
Labels that are set on projected resource.
SecretStoreName is the name to use when creating secret stores within a control plane. optional, if not set, SharedSecretStore name will be used. When set, it is immutable.
SharedSecretStoreStatus defines the observed state of the SecretStore.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
List of provisioning failures.
List of occurred conditions.
ControlPlane name where the failure occurred.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
List of successfully provisioned targets.
ControlPlane name where the secret store got projected
spaces.upbound.io/v1alpha1
spaces.upbound.io/v1alpha1
A Simulation creates a simulation of a source ControlPlane. You can apply a change set to the simulated control plane. When the Simulation is complete it will detect the changes and report the difference compared to the source control plane.
SimulationSpec specifies how to run the simulation.
CompletionCriteria specify how Spaces should determine when the simulation is complete. If any of the criteria are met, Spaces will set the Simulation’s desired state to complete. Omit the criteria if you want to manually mark the Simulation complete.
Duration after which the simulation is complete.
Type of criterion.
ControlPlaneName is the name of the ControlPlane to simulate a change to. This control plane is known as the Simulation’s ‘source’ control plane.
Default: AcceptingChanges
DesiredState of the simulation.
SimulationStatus represents the observed state of a Simulation.
Changes detected by the simulation. Only changes that happen while the simulation is in the AcceptingChanges state are included.
Change type.
ObjectReference to the changed object.
APIVersion of the changed resource.
Kind of the changed resource.
Name of the changed resource.
Namespace of the changed resource.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
ControlPlaneData exported from the source control plane and imported to the simulated control plane.
ExportTimestamp is the time at which the source control plane’s resources were exported. Resources are exported to temporary storage before they’re imported to the simulated control plane.
ImportTiemstamp is the time at which the source control plane’s resources were imported to the simulated control plane.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
SimulatedControlPlaneName is the name of the control plane used to run the simulation.