Custom Resource Definitions

Custom Resource Definitions (CRDs) for Kyverno policies and other types.
Kyverno API

kyverno.io/v1

Resource Types:

ClusterPolicy

ClusterPolicy …

Field Description
apiVersion
string
kyverno.io/v1
kind
string
ClusterPolicy
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
Spec

Spec is the information to identify the policy



rules
[]Rule

Rules contains the list of rules to be applied to resources

validationFailureAction
string

ValidationFailureAction provides choice to enforce rules to resources during policy violations. Default value is “audit”.

background
bool

Background provides choice for applying rules to existing resources. Default value is “true”.

status
PolicyStatus

Status contains statistics related to policy


ClusterPolicyViolation

ClusterPolicyViolation represents cluster-wide violations

Field Description
apiVersion
string
kyverno.io/v1
kind
string
ClusterPolicyViolation
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
PolicyViolationSpec


policy
string

Specifies name of the policy

resource
ResourceSpec
rules
[]ViolatedRule

Specifies list of violated rule

status
PolicyViolationStatus

GenerateRequest

GenerateRequest is a request to process generate rule

Field Description
apiVersion
string
kyverno.io/v1
kind
string
GenerateRequest
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GenerateRequestSpec

Spec is the information to identify the generate request



policy
string

Specifies the name of the policy

resource
ResourceSpec

ResourceSpec is the information to identify the generate request

context
GenerateRequestContext

Context …

status
GenerateRequestStatus

Status contains statistics related to generate request


PolicyViolation

PolicyViolation represents namespaced violations

Field Description
apiVersion
string
kyverno.io/v1
kind
string
PolicyViolation
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
PolicyViolationSpec


policy
string

Specifies name of the policy

resource
ResourceSpec
rules
[]ViolatedRule

Specifies list of violated rule

status
PolicyViolationStatus

CloneFrom

(Appears on: Generation)

CloneFrom - location of the resource which will be used as source when applying ‘generate’

Field Description
namespace
string

Specifies resource namespace

name
string

Specifies name of the resource


Condition

(Appears on: Deny, Rule)

Condition defines the evaluation condition

Field Description
key
interface{}

Key contains key to compare

operator
ConditionOperator

Operator to compare against value

value
interface{}

Value to be compared


ConditionOperator (string alias)

(Appears on: Condition)

ConditionOperator defines the type for condition operator

ConfigMapReference

(Appears on: ContextEntry)

Field Description
name
string
namespace
string

ContextEntry

(Appears on: Rule)

Field Description
name
string
path
string
configMap
ConfigMapReference

Deny

(Appears on: Validation)

Field Description
conditions
[]Condition

Specifies set of condition to deny validation


ExcludeResources

(Appears on: Rule)

ExcludeResources container resource description of the resources that are to be excluded from the applying the policy rule

Field Description
UserInfo
UserInfo

Specifies user information

resources
ResourceDescription

Specifies resources to which rule is excluded


GenerateRequestContext

(Appears on: GenerateRequestSpec)

GenerateRequestContext stores the context to be shared

Field Description
userInfo
RequestInfo

GenerateRequestSpec

(Appears on: GenerateRequest)

GenerateRequestSpec stores the request specification

Field Description
policy
string

Specifies the name of the policy

resource
ResourceSpec

ResourceSpec is the information to identify the generate request

context
GenerateRequestContext

Context …


GenerateRequestState (string alias)

(Appears on: GenerateRequestStatus)

GenerateRequestState defines the state of

GenerateRequestStatus

(Appears on: GenerateRequest)

GenerateRequestStatus stores the status of generated request

Field Description
state
GenerateRequestState

State represents state of the generate request

message
string
(Optional)

Specifies request status message

generatedResources
[]ResourceSpec

This will track the resources that are generated by the generate Policy Will be used during clean up resources


Generation

(Appears on: Rule)

Generation describes which resources will be created when other resource is created

Field Description
ResourceSpec
ResourceSpec
synchronize
bool

To keep resources synchronized with source resource

data
interface{}

Data …

clone
CloneFrom

To clone resource from other resource


MatchResources

(Appears on: Rule)

MatchResources contains resource description of the resources that the rule is to apply on

Field Description
UserInfo
UserInfo

Specifies user information

resources
ResourceDescription

Specifies resources to which rule is applied


Mutation

(Appears on: Rule)

Mutation describes the way how Mutating Webhook will react on resource creation

Field Description
overlay
interface{}

Specifies overlay patterns Overlay is preserved for backwards compatibility and will be removed in Kyverno 1.5+

patches
[]Patch

Specifies JSON Patch Patches is preserved for backwards compatibility and will be removed in Kyverno 1.5+

patchStrategicMerge
interface{}
patchesJson6902
string

Patch

(Appears on: Mutation)

Patch declares patch operation for created object according to RFC 6902

Field Description
path
string

Specifies path of the resource

op
string

Specifies operations supported by JSON Patch. i.e:- add, replace and delete

value
interface{}

Specifies the value to be applied


Policy

Policy contains rules to be applied to created resources

Field Description
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
Spec

Spec is the information to identify the policy



rules
[]Rule

Rules contains the list of rules to be applied to resources

validationFailureAction
string

ValidationFailureAction provides choice to enforce rules to resources during policy violations. Default value is “audit”.

background
bool

Background provides choice for applying rules to existing resources. Default value is “true”.

status
PolicyStatus

Status contains statistics related to policy


PolicyStatus

(Appears on: ClusterPolicy, Policy)

PolicyStatus mostly contains statistics related to policy

Field Description
averageExecutionTime
string

average time required to process the policy rules on a resource

violationCount
int

number of violations created by this policy

rulesFailedCount
int

Count of rules that failed

rulesAppliedCount
int

Count of rules that were applied

resourcesBlockedCount
int

Count of resources that were blocked for failing a validate, across all rules

resourcesMutatedCount
int

Count of resources that were successfully mutated, across all rules

resourcesGeneratedCount
int

Count of resources that were successfully generated, across all rules

ruleStatus
[]RuleStats

PolicyViolationSpec

(Appears on: ClusterPolicyViolation, PolicyViolation, PolicyViolationTemplate)

PolicyViolationSpec describes policy behavior by its rules

Field Description
policy
string

Specifies name of the policy

resource
ResourceSpec
rules
[]ViolatedRule

Specifies list of violated rule


PolicyViolationStatus

(Appears on: ClusterPolicyViolation, PolicyViolation, PolicyViolationTemplate)

PolicyViolationStatus provides information regarding policyviolation status status: LastUpdateTime : the time the policy violation was updated

Field Description
lastUpdateTime
Kubernetes meta/v1.Time

LastUpdateTime : the time the policy violation was updated


PolicyViolationTemplate

PolicyViolationTemplate stores the information regarinding the resources for which a policy failed to apply

Field Description
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
PolicyViolationSpec


policy
string

Specifies name of the policy

resource
ResourceSpec
rules
[]ViolatedRule

Specifies list of violated rule

status
PolicyViolationStatus

RequestInfo

(Appears on: GenerateRequestContext)

RequestInfo contains permission info carried in an admission request

Field Description
roles
[]string

Roles is a list of possible role send the request

clusterRoles
[]string

ClusterRoles is a list of possible clusterRoles send the request

userInfo
Kubernetes authentication/v1.UserInfo

UserInfo is the userInfo carried in the admission request


ResourceDescription

(Appears on: ExcludeResources, MatchResources)

ResourceDescription describes the resource to which the PolicyRule will be applied.

Field Description
kinds
[]string

Specifies list of resource kind

name
string

Specifies name of the resource

namespaces
[]string

Specifies list of namespaces

annotations
map[string]string

Specifies map of annotations

selector
Kubernetes meta/v1.LabelSelector

Specifies the set of selectors


ResourceSpec

(Appears on: GenerateRequestSpec, GenerateRequestStatus, Generation, PolicyViolationSpec)

ResourceSpec information to identify the resource

Field Description
apiVersion
string
(Optional)

Specifies resource apiVersionm

kind
string
(Optional)

Specifies resource kind

namespace
string
(Optional)

Specifies resource namespace

name
string

Specifies resource name


Rule

(Appears on: Spec)

Rule contains a mutation, validation, or generation action for the single resource description

Field Description
name
string

A unique label for the rule

context
[]ContextEntry
(Optional)

Defines variables that can be used during rule execution.

match
MatchResources
(Optional)

Selects resources for which the policy rule should be applied. If it’s defined, “kinds” inside MatchResources block is required.

exclude
ExcludeResources
(Optional)

Selects resources for which the policy rule should not be applied.

preconditions
[]Condition
(Optional)

Allows condition-based control of the policy rule execution.

mutate
Mutation
(Optional)

Modifies matching resources.

validate
Validation
(Optional)

Checks matching resources.

generate
Generation
(Optional)

Generates new resources.


RuleStats

(Appears on: PolicyStatus)

RuleStats provides status per rule

Field Description
ruleName
string

Rule name

averageExecutionTime
string

average time require to process the rule

violationCount
int

number of violations created by this rule

failedCount
int

Count of rules that failed

appliedCount
int

Count of rules that were applied

resourcesBlockedCount
int

Count of resources for whom update/create api requests were blocked as the resource did not satisfy the policy rules

resourcesMutatedCount
int

Count of resources that were successfully mutated

resourcesGeneratedCount
int

Count of resources that were successfully generated


Spec

(Appears on: ClusterPolicy, Policy)

Spec describes policy behavior by its rules

Field Description
rules
[]Rule

Rules contains the list of rules to be applied to resources

validationFailureAction
string

ValidationFailureAction provides choice to enforce rules to resources during policy violations. Default value is “audit”.

background
bool

Background provides choice for applying rules to existing resources. Default value is “true”.


UserInfo

(Appears on: ExcludeResources, MatchResources)

UserInfo filter based on users

Field Description
roles
[]string

Specifies list of namespaced role names

clusterRoles
[]string

Specifies list of cluster wide role names

subjects
[]Kubernetes rbac/v1.Subject

Specifies list of subject names like users, user groups, and service accounts


Validation

(Appears on: Rule)

Validation describes the way how Validating Webhook will check the resource on creation

Field Description
message
string

Specifies message to be displayed on validation policy violation

pattern
interface{}

Specifies validation pattern

anyPattern
[]interface{}

Specifies list of validation patterns

deny
Deny

Specifies conditions to deny validation


ViolatedRule

(Appears on: PolicyViolationSpec)

ViolatedRule stores the information regarding the rule

Field Description
name
string

Specifies violated rule name

type
string

Specifies violated rule type

message
string

Specifies violation message


Last modified October 14, 2020: update CRD (d90083d)