kubernetes-fluent-client 3.0.3 → 4.0.0-rc-http2-watch
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.prettierignore +4 -0
- package/README.md +24 -0
- package/dist/cli.js +21 -1
- package/dist/fileSystem.d.ts +11 -0
- package/dist/fileSystem.d.ts.map +1 -0
- package/dist/fileSystem.js +42 -0
- package/dist/fileSystem.test.d.ts +2 -0
- package/dist/fileSystem.test.d.ts.map +1 -0
- package/dist/fileSystem.test.js +75 -0
- package/dist/fluent/watch.d.ts +2 -0
- package/dist/fluent/watch.d.ts.map +1 -1
- package/dist/fluent/watch.js +147 -27
- package/dist/generate.d.ts +71 -11
- package/dist/generate.d.ts.map +1 -1
- package/dist/generate.js +130 -117
- package/dist/generate.test.js +293 -346
- package/dist/postProcessing.d.ts +246 -0
- package/dist/postProcessing.d.ts.map +1 -0
- package/dist/postProcessing.js +497 -0
- package/dist/postProcessing.test.d.ts +2 -0
- package/dist/postProcessing.test.d.ts.map +1 -0
- package/dist/postProcessing.test.js +550 -0
- package/e2e/cli.e2e.test.ts +127 -0
- package/e2e/crds/policyreports.default.expected/policyreport-v1alpha1.ts +332 -0
- package/e2e/crds/policyreports.default.expected/policyreport-v1alpha2.ts +360 -0
- package/e2e/crds/policyreports.default.expected/policyreport-v1beta1.ts +360 -0
- package/e2e/crds/policyreports.no.post.expected/policyreport-v1alpha1.ts +331 -0
- package/e2e/crds/policyreports.no.post.expected/policyreport-v1alpha2.ts +360 -0
- package/e2e/crds/policyreports.no.post.expected/policyreport-v1beta1.ts +360 -0
- package/e2e/crds/test.yaml/policyreports.test.yaml +1008 -0
- package/e2e/crds/test.yaml/uds-podmonitors.test.yaml +1245 -0
- package/e2e/crds/uds-podmonitors.default.expected/podmonitor-v1.ts +1333 -0
- package/e2e/crds/uds-podmonitors.no.post.expected/podmonitor-v1.ts +1360 -0
- package/package.json +6 -5
- package/src/cli.ts +25 -1
- package/src/fileSystem.test.ts +67 -0
- package/src/fileSystem.ts +25 -0
- package/src/fluent/watch.ts +174 -35
- package/src/generate.test.ts +368 -358
- package/src/generate.ts +173 -154
- package/src/postProcessing.test.ts +742 -0
- package/src/postProcessing.ts +568 -0
|
@@ -0,0 +1,1008 @@
|
|
|
1
|
+
---
|
|
2
|
+
apiVersion: apiextensions.k8s.io/v1
|
|
3
|
+
kind: CustomResourceDefinition
|
|
4
|
+
metadata:
|
|
5
|
+
annotations:
|
|
6
|
+
controller-gen.kubebuilder.io/version: v0.9.0
|
|
7
|
+
creationTimestamp: null
|
|
8
|
+
name: policyreports.test
|
|
9
|
+
spec:
|
|
10
|
+
group: wgpolicyk8s.io
|
|
11
|
+
names:
|
|
12
|
+
kind: PolicyReport
|
|
13
|
+
listKind: PolicyReportList
|
|
14
|
+
plural: policyreports
|
|
15
|
+
shortNames:
|
|
16
|
+
- polr
|
|
17
|
+
singular: policyreport
|
|
18
|
+
scope: Namespaced
|
|
19
|
+
versions:
|
|
20
|
+
- additionalPrinterColumns:
|
|
21
|
+
- jsonPath: .scope.kind
|
|
22
|
+
name: Kind
|
|
23
|
+
priority: 1
|
|
24
|
+
type: string
|
|
25
|
+
- jsonPath: .scope.name
|
|
26
|
+
name: Name
|
|
27
|
+
priority: 1
|
|
28
|
+
type: string
|
|
29
|
+
- jsonPath: .summary.pass
|
|
30
|
+
name: Pass
|
|
31
|
+
type: integer
|
|
32
|
+
- jsonPath: .summary.fail
|
|
33
|
+
name: Fail
|
|
34
|
+
type: integer
|
|
35
|
+
- jsonPath: .summary.warn
|
|
36
|
+
name: Warn
|
|
37
|
+
type: integer
|
|
38
|
+
- jsonPath: .summary.error
|
|
39
|
+
name: Error
|
|
40
|
+
type: integer
|
|
41
|
+
- jsonPath: .summary.skip
|
|
42
|
+
name: Skip
|
|
43
|
+
type: integer
|
|
44
|
+
- jsonPath: .metadata.creationTimestamp
|
|
45
|
+
name: Age
|
|
46
|
+
type: date
|
|
47
|
+
name: v1alpha1
|
|
48
|
+
schema:
|
|
49
|
+
openAPIV3Schema:
|
|
50
|
+
description: PolicyReport is the Schema for the policyreports API
|
|
51
|
+
properties:
|
|
52
|
+
apiVersion:
|
|
53
|
+
description: "APIVersion defines the versioned schema of this representation
|
|
54
|
+
of an object. Servers should convert recognized schemas to the latest
|
|
55
|
+
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
|
|
56
|
+
type: string
|
|
57
|
+
kind:
|
|
58
|
+
description: "Kind is a string value representing the REST resource this
|
|
59
|
+
object represents. Servers may infer this from the endpoint the client
|
|
60
|
+
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
61
|
+
type: string
|
|
62
|
+
metadata:
|
|
63
|
+
type: object
|
|
64
|
+
results:
|
|
65
|
+
description: PolicyReportResult provides result details
|
|
66
|
+
items:
|
|
67
|
+
description: PolicyReportResult provides the result for an individual
|
|
68
|
+
policy
|
|
69
|
+
properties:
|
|
70
|
+
category:
|
|
71
|
+
description: Category indicates policy category
|
|
72
|
+
type: string
|
|
73
|
+
data:
|
|
74
|
+
additionalProperties:
|
|
75
|
+
type: string
|
|
76
|
+
description: Data provides additional information for the policy
|
|
77
|
+
rule
|
|
78
|
+
type: object
|
|
79
|
+
message:
|
|
80
|
+
description: Message is a short user friendly description of the
|
|
81
|
+
policy rule
|
|
82
|
+
type: string
|
|
83
|
+
policy:
|
|
84
|
+
description: Policy is the name of the policy
|
|
85
|
+
type: string
|
|
86
|
+
resourceSelector:
|
|
87
|
+
description: ResourceSelector is an optional selector for policy
|
|
88
|
+
results that apply to multiple resources. For example, a policy
|
|
89
|
+
result may apply to all pods that match a label. Either a Resource
|
|
90
|
+
or a ResourceSelector can be specified. If neither are provided,
|
|
91
|
+
the result is assumed to be for the policy report scope.
|
|
92
|
+
properties:
|
|
93
|
+
matchExpressions:
|
|
94
|
+
description: matchExpressions is a list of label selector requirements.
|
|
95
|
+
The requirements are ANDed.
|
|
96
|
+
items:
|
|
97
|
+
description: A label selector requirement is a selector that
|
|
98
|
+
contains values, a key, and an operator that relates the
|
|
99
|
+
key and values.
|
|
100
|
+
properties:
|
|
101
|
+
key:
|
|
102
|
+
description: key is the label key that the selector applies
|
|
103
|
+
to.
|
|
104
|
+
type: string
|
|
105
|
+
operator:
|
|
106
|
+
description: operator represents a key's relationship
|
|
107
|
+
to a set of values. Valid operators are In, NotIn, Exists
|
|
108
|
+
and DoesNotExist.
|
|
109
|
+
type: string
|
|
110
|
+
values:
|
|
111
|
+
description: values is an array of string values. If the
|
|
112
|
+
operator is In or NotIn, the values array must be non-empty.
|
|
113
|
+
If the operator is Exists or DoesNotExist, the values
|
|
114
|
+
array must be empty. This array is replaced during a
|
|
115
|
+
strategic merge patch.
|
|
116
|
+
items:
|
|
117
|
+
type: string
|
|
118
|
+
type: array
|
|
119
|
+
required:
|
|
120
|
+
- key
|
|
121
|
+
- operator
|
|
122
|
+
type: object
|
|
123
|
+
type: array
|
|
124
|
+
matchLabels:
|
|
125
|
+
additionalProperties:
|
|
126
|
+
type: string
|
|
127
|
+
description: matchLabels is a map of {key,value} pairs. A single
|
|
128
|
+
{key,value} in the matchLabels map is equivalent to an element
|
|
129
|
+
of matchExpressions, whose key field is "key", the operator
|
|
130
|
+
is "In", and the values array contains only "value". The requirements
|
|
131
|
+
are ANDed.
|
|
132
|
+
type: object
|
|
133
|
+
type: object
|
|
134
|
+
resources:
|
|
135
|
+
description: Resources is an optional reference to the resource
|
|
136
|
+
checked by the policy and rule
|
|
137
|
+
items:
|
|
138
|
+
description: 'ObjectReference contains enough information to let
|
|
139
|
+
you inspect or modify the referred object. --- New uses of this
|
|
140
|
+
type are discouraged because of difficulty describing its usage
|
|
141
|
+
when embedded in APIs. 1. Ignored fields. It includes many
|
|
142
|
+
fields which are not generally honored. For instance, ResourceVersion
|
|
143
|
+
and FieldPath are both very rarely valid in actual usage. 2.
|
|
144
|
+
Invalid usage help. It is impossible to add specific help for
|
|
145
|
+
individual usage. In most embedded usages, there are particular
|
|
146
|
+
restrictions like, "must refer only to types A and B" or "UID
|
|
147
|
+
not honored" or "name must be restricted". Those cannot be well
|
|
148
|
+
described when embedded. 3. Inconsistent validation. Because
|
|
149
|
+
the usages are different, the validation rules are different
|
|
150
|
+
by usage, which makes it hard for users to predict what will
|
|
151
|
+
happen. 4. The fields are both imprecise and overly precise. Kind
|
|
152
|
+
is not a precise mapping to a URL. This can produce ambiguity
|
|
153
|
+
during interpretation and require a REST mapping. In most cases,
|
|
154
|
+
the dependency is on the group,resource tuple and the version
|
|
155
|
+
of the actual struct is irrelevant. 5. We cannot easily change
|
|
156
|
+
it. Because this type is embedded in many locations, updates
|
|
157
|
+
to this type will affect numerous schemas. Don''t make new
|
|
158
|
+
APIs embed an underspecified API type they do not control. Instead
|
|
159
|
+
of using this type, create a locally provided and used type
|
|
160
|
+
that is well-focused on your reference. For example, ServiceReferences
|
|
161
|
+
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
162
|
+
.'
|
|
163
|
+
properties:
|
|
164
|
+
apiVersion:
|
|
165
|
+
description: API version of the referent.
|
|
166
|
+
type: string
|
|
167
|
+
fieldPath:
|
|
168
|
+
description: 'If referring to a piece of an object instead
|
|
169
|
+
of an entire object, this string should contain a valid
|
|
170
|
+
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
171
|
+
For example, if the object reference is to a container within
|
|
172
|
+
a pod, this would take on a value like: "spec.containers{name}"
|
|
173
|
+
(where "name" refers to the name of the container that triggered
|
|
174
|
+
the event) or if no container name is specified "spec.containers[2]"
|
|
175
|
+
(container with index 2 in this pod). This syntax is chosen
|
|
176
|
+
only to have some well-defined way of referencing a part
|
|
177
|
+
of an object. TODO: this design is not final and this field
|
|
178
|
+
is subject to change in the future.'
|
|
179
|
+
type: string
|
|
180
|
+
kind:
|
|
181
|
+
description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
182
|
+
type: string
|
|
183
|
+
name:
|
|
184
|
+
description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
|
|
185
|
+
type: string
|
|
186
|
+
namespace:
|
|
187
|
+
description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
|
|
188
|
+
type: string
|
|
189
|
+
resourceVersion:
|
|
190
|
+
description: "Specific resourceVersion to which this reference
|
|
191
|
+
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"
|
|
192
|
+
type: string
|
|
193
|
+
uid:
|
|
194
|
+
description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids"
|
|
195
|
+
type: string
|
|
196
|
+
type: object
|
|
197
|
+
type: array
|
|
198
|
+
rule:
|
|
199
|
+
description: Rule is the name of the policy rule
|
|
200
|
+
type: string
|
|
201
|
+
scored:
|
|
202
|
+
description: Scored indicates if this policy rule is scored
|
|
203
|
+
type: boolean
|
|
204
|
+
severity:
|
|
205
|
+
description: Severity indicates policy severity
|
|
206
|
+
enum:
|
|
207
|
+
- high
|
|
208
|
+
- low
|
|
209
|
+
- medium
|
|
210
|
+
type: string
|
|
211
|
+
status:
|
|
212
|
+
description: Status indicates the result of the policy rule check
|
|
213
|
+
enum:
|
|
214
|
+
- pass
|
|
215
|
+
- fail
|
|
216
|
+
- warn
|
|
217
|
+
- error
|
|
218
|
+
- skip
|
|
219
|
+
type: string
|
|
220
|
+
required:
|
|
221
|
+
- policy
|
|
222
|
+
type: object
|
|
223
|
+
type: array
|
|
224
|
+
scope:
|
|
225
|
+
description: Scope is an optional reference to the report scope (e.g.
|
|
226
|
+
a Deployment, Namespace, or Node)
|
|
227
|
+
properties:
|
|
228
|
+
apiVersion:
|
|
229
|
+
description: API version of the referent.
|
|
230
|
+
type: string
|
|
231
|
+
fieldPath:
|
|
232
|
+
description: 'If referring to a piece of an object instead of an entire
|
|
233
|
+
object, this string should contain a valid JSON/Go field access
|
|
234
|
+
statement, such as desiredState.manifest.containers[2]. For example,
|
|
235
|
+
if the object reference is to a container within a pod, this would
|
|
236
|
+
take on a value like: "spec.containers{name}" (where "name" refers
|
|
237
|
+
to the name of the container that triggered the event) or if no
|
|
238
|
+
container name is specified "spec.containers[2]" (container with
|
|
239
|
+
index 2 in this pod). This syntax is chosen only to have some well-defined
|
|
240
|
+
way of referencing a part of an object. TODO: this design is not
|
|
241
|
+
final and this field is subject to change in the future.'
|
|
242
|
+
type: string
|
|
243
|
+
kind:
|
|
244
|
+
description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
245
|
+
type: string
|
|
246
|
+
name:
|
|
247
|
+
description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
|
|
248
|
+
type: string
|
|
249
|
+
namespace:
|
|
250
|
+
description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
|
|
251
|
+
type: string
|
|
252
|
+
resourceVersion:
|
|
253
|
+
description: "Specific resourceVersion to which this reference is
|
|
254
|
+
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"
|
|
255
|
+
type: string
|
|
256
|
+
uid:
|
|
257
|
+
description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids"
|
|
258
|
+
type: string
|
|
259
|
+
type: object
|
|
260
|
+
scopeSelector:
|
|
261
|
+
description: ScopeSelector is an optional selector for multiple scopes
|
|
262
|
+
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
|
|
263
|
+
should be specified.
|
|
264
|
+
properties:
|
|
265
|
+
matchExpressions:
|
|
266
|
+
description: matchExpressions is a list of label selector requirements.
|
|
267
|
+
The requirements are ANDed.
|
|
268
|
+
items:
|
|
269
|
+
description: A label selector requirement is a selector that contains
|
|
270
|
+
values, a key, and an operator that relates the key and values.
|
|
271
|
+
properties:
|
|
272
|
+
key:
|
|
273
|
+
description: key is the label key that the selector applies
|
|
274
|
+
to.
|
|
275
|
+
type: string
|
|
276
|
+
operator:
|
|
277
|
+
description: operator represents a key's relationship to a set
|
|
278
|
+
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
279
|
+
type: string
|
|
280
|
+
values:
|
|
281
|
+
description: values is an array of string values. If the operator
|
|
282
|
+
is In or NotIn, the values array must be non-empty. If the
|
|
283
|
+
operator is Exists or DoesNotExist, the values array must
|
|
284
|
+
be empty. This array is replaced during a strategic merge
|
|
285
|
+
patch.
|
|
286
|
+
items:
|
|
287
|
+
type: string
|
|
288
|
+
type: array
|
|
289
|
+
required:
|
|
290
|
+
- key
|
|
291
|
+
- operator
|
|
292
|
+
type: object
|
|
293
|
+
type: array
|
|
294
|
+
matchLabels:
|
|
295
|
+
additionalProperties:
|
|
296
|
+
type: string
|
|
297
|
+
description: matchLabels is a map of {key,value} pairs. A single {key,value}
|
|
298
|
+
in the matchLabels map is equivalent to an element of matchExpressions,
|
|
299
|
+
whose key field is "key", the operator is "In", and the values array
|
|
300
|
+
contains only "value". The requirements are ANDed.
|
|
301
|
+
type: object
|
|
302
|
+
type: object
|
|
303
|
+
summary:
|
|
304
|
+
description: PolicyReportSummary provides a summary of results
|
|
305
|
+
properties:
|
|
306
|
+
error:
|
|
307
|
+
description: Error provides the count of policies that could not be
|
|
308
|
+
evaluated
|
|
309
|
+
type: integer
|
|
310
|
+
fail:
|
|
311
|
+
description: Fail provides the count of policies whose requirements
|
|
312
|
+
were not met
|
|
313
|
+
type: integer
|
|
314
|
+
pass:
|
|
315
|
+
description: Pass provides the count of policies whose requirements
|
|
316
|
+
were met
|
|
317
|
+
type: integer
|
|
318
|
+
skip:
|
|
319
|
+
description: Skip indicates the count of policies that were not selected
|
|
320
|
+
for evaluation
|
|
321
|
+
type: integer
|
|
322
|
+
warn:
|
|
323
|
+
description: Warn provides the count of unscored policies whose requirements
|
|
324
|
+
were not met
|
|
325
|
+
type: integer
|
|
326
|
+
type: object
|
|
327
|
+
type: object
|
|
328
|
+
served: true
|
|
329
|
+
storage: false
|
|
330
|
+
subresources: {}
|
|
331
|
+
- additionalPrinterColumns:
|
|
332
|
+
- jsonPath: .scope.kind
|
|
333
|
+
name: Kind
|
|
334
|
+
priority: 1
|
|
335
|
+
type: string
|
|
336
|
+
- jsonPath: .scope.name
|
|
337
|
+
name: Name
|
|
338
|
+
priority: 1
|
|
339
|
+
type: string
|
|
340
|
+
- jsonPath: .summary.pass
|
|
341
|
+
name: Pass
|
|
342
|
+
type: integer
|
|
343
|
+
- jsonPath: .summary.fail
|
|
344
|
+
name: Fail
|
|
345
|
+
type: integer
|
|
346
|
+
- jsonPath: .summary.warn
|
|
347
|
+
name: Warn
|
|
348
|
+
type: integer
|
|
349
|
+
- jsonPath: .summary.error
|
|
350
|
+
name: Error
|
|
351
|
+
type: integer
|
|
352
|
+
- jsonPath: .summary.skip
|
|
353
|
+
name: Skip
|
|
354
|
+
type: integer
|
|
355
|
+
- jsonPath: .metadata.creationTimestamp
|
|
356
|
+
name: Age
|
|
357
|
+
type: date
|
|
358
|
+
name: v1alpha2
|
|
359
|
+
schema:
|
|
360
|
+
openAPIV3Schema:
|
|
361
|
+
description: PolicyReport is the Schema for the policyreports API
|
|
362
|
+
properties:
|
|
363
|
+
apiVersion:
|
|
364
|
+
description: "APIVersion defines the versioned schema of this representation
|
|
365
|
+
of an object. Servers should convert recognized schemas to the latest
|
|
366
|
+
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
|
|
367
|
+
type: string
|
|
368
|
+
kind:
|
|
369
|
+
description: "Kind is a string value representing the REST resource this
|
|
370
|
+
object represents. Servers may infer this from the endpoint the client
|
|
371
|
+
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
372
|
+
type: string
|
|
373
|
+
metadata:
|
|
374
|
+
type: object
|
|
375
|
+
results:
|
|
376
|
+
description: PolicyReportResult provides result details
|
|
377
|
+
items:
|
|
378
|
+
description: PolicyReportResult provides the result for an individual
|
|
379
|
+
policy
|
|
380
|
+
properties:
|
|
381
|
+
category:
|
|
382
|
+
description: Category indicates policy category
|
|
383
|
+
type: string
|
|
384
|
+
message:
|
|
385
|
+
description: Description is a short user friendly message for the
|
|
386
|
+
policy rule
|
|
387
|
+
type: string
|
|
388
|
+
policy:
|
|
389
|
+
description: Policy is the name or identifier of the policy
|
|
390
|
+
type: string
|
|
391
|
+
properties:
|
|
392
|
+
additionalProperties:
|
|
393
|
+
type: string
|
|
394
|
+
description: Properties provides additional information for the
|
|
395
|
+
policy rule
|
|
396
|
+
type: object
|
|
397
|
+
resourceSelector:
|
|
398
|
+
description: SubjectSelector is an optional label selector for checked
|
|
399
|
+
Kubernetes resources. For example, a policy result may apply to
|
|
400
|
+
all pods that match a label. Either a Subject or a SubjectSelector
|
|
401
|
+
can be specified. If neither are provided, the result is assumed
|
|
402
|
+
to be for the policy report scope.
|
|
403
|
+
properties:
|
|
404
|
+
matchExpressions:
|
|
405
|
+
description: matchExpressions is a list of label selector requirements.
|
|
406
|
+
The requirements are ANDed.
|
|
407
|
+
items:
|
|
408
|
+
description: A label selector requirement is a selector that
|
|
409
|
+
contains values, a key, and an operator that relates the
|
|
410
|
+
key and values.
|
|
411
|
+
properties:
|
|
412
|
+
key:
|
|
413
|
+
description: key is the label key that the selector applies
|
|
414
|
+
to.
|
|
415
|
+
type: string
|
|
416
|
+
operator:
|
|
417
|
+
description: operator represents a key's relationship
|
|
418
|
+
to a set of values. Valid operators are In, NotIn, Exists
|
|
419
|
+
and DoesNotExist.
|
|
420
|
+
type: string
|
|
421
|
+
values:
|
|
422
|
+
description: values is an array of string values. If the
|
|
423
|
+
operator is In or NotIn, the values array must be non-empty.
|
|
424
|
+
If the operator is Exists or DoesNotExist, the values
|
|
425
|
+
array must be empty. This array is replaced during a
|
|
426
|
+
strategic merge patch.
|
|
427
|
+
items:
|
|
428
|
+
type: string
|
|
429
|
+
type: array
|
|
430
|
+
required:
|
|
431
|
+
- key
|
|
432
|
+
- operator
|
|
433
|
+
type: object
|
|
434
|
+
type: array
|
|
435
|
+
matchLabels:
|
|
436
|
+
additionalProperties:
|
|
437
|
+
type: string
|
|
438
|
+
description: matchLabels is a map of {key,value} pairs. A single
|
|
439
|
+
{key,value} in the matchLabels map is equivalent to an element
|
|
440
|
+
of matchExpressions, whose key field is "key", the operator
|
|
441
|
+
is "In", and the values array contains only "value". The requirements
|
|
442
|
+
are ANDed.
|
|
443
|
+
type: object
|
|
444
|
+
type: object
|
|
445
|
+
resources:
|
|
446
|
+
description: Subjects is an optional reference to the checked Kubernetes
|
|
447
|
+
resources
|
|
448
|
+
items:
|
|
449
|
+
description: 'ObjectReference contains enough information to let
|
|
450
|
+
you inspect or modify the referred object. --- New uses of this
|
|
451
|
+
type are discouraged because of difficulty describing its usage
|
|
452
|
+
when embedded in APIs. 1. Ignored fields. It includes many
|
|
453
|
+
fields which are not generally honored. For instance, ResourceVersion
|
|
454
|
+
and FieldPath are both very rarely valid in actual usage. 2.
|
|
455
|
+
Invalid usage help. It is impossible to add specific help for
|
|
456
|
+
individual usage. In most embedded usages, there are particular
|
|
457
|
+
restrictions like, "must refer only to types A and B" or "UID
|
|
458
|
+
not honored" or "name must be restricted". Those cannot be well
|
|
459
|
+
described when embedded. 3. Inconsistent validation. Because
|
|
460
|
+
the usages are different, the validation rules are different
|
|
461
|
+
by usage, which makes it hard for users to predict what will
|
|
462
|
+
happen. 4. The fields are both imprecise and overly precise. Kind
|
|
463
|
+
is not a precise mapping to a URL. This can produce ambiguity
|
|
464
|
+
during interpretation and require a REST mapping. In most cases,
|
|
465
|
+
the dependency is on the group,resource tuple and the version
|
|
466
|
+
of the actual struct is irrelevant. 5. We cannot easily change
|
|
467
|
+
it. Because this type is embedded in many locations, updates
|
|
468
|
+
to this type will affect numerous schemas. Don''t make new
|
|
469
|
+
APIs embed an underspecified API type they do not control. Instead
|
|
470
|
+
of using this type, create a locally provided and used type
|
|
471
|
+
that is well-focused on your reference. For example, ServiceReferences
|
|
472
|
+
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
473
|
+
.'
|
|
474
|
+
properties:
|
|
475
|
+
apiVersion:
|
|
476
|
+
description: API version of the referent.
|
|
477
|
+
type: string
|
|
478
|
+
fieldPath:
|
|
479
|
+
description: 'If referring to a piece of an object instead
|
|
480
|
+
of an entire object, this string should contain a valid
|
|
481
|
+
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
482
|
+
For example, if the object reference is to a container within
|
|
483
|
+
a pod, this would take on a value like: "spec.containers{name}"
|
|
484
|
+
(where "name" refers to the name of the container that triggered
|
|
485
|
+
the event) or if no container name is specified "spec.containers[2]"
|
|
486
|
+
(container with index 2 in this pod). This syntax is chosen
|
|
487
|
+
only to have some well-defined way of referencing a part
|
|
488
|
+
of an object. TODO: this design is not final and this field
|
|
489
|
+
is subject to change in the future.'
|
|
490
|
+
type: string
|
|
491
|
+
kind:
|
|
492
|
+
description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
493
|
+
type: string
|
|
494
|
+
name:
|
|
495
|
+
description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
|
|
496
|
+
type: string
|
|
497
|
+
namespace:
|
|
498
|
+
description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
|
|
499
|
+
type: string
|
|
500
|
+
resourceVersion:
|
|
501
|
+
description: "Specific resourceVersion to which this reference
|
|
502
|
+
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"
|
|
503
|
+
type: string
|
|
504
|
+
uid:
|
|
505
|
+
description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids"
|
|
506
|
+
type: string
|
|
507
|
+
type: object
|
|
508
|
+
type: array
|
|
509
|
+
result:
|
|
510
|
+
description: Result indicates the outcome of the policy rule execution
|
|
511
|
+
enum:
|
|
512
|
+
- pass
|
|
513
|
+
- fail
|
|
514
|
+
- warn
|
|
515
|
+
- error
|
|
516
|
+
- skip
|
|
517
|
+
type: string
|
|
518
|
+
rule:
|
|
519
|
+
description: Rule is the name or identifier of the rule within the
|
|
520
|
+
policy
|
|
521
|
+
type: string
|
|
522
|
+
scored:
|
|
523
|
+
description: Scored indicates if this result is scored
|
|
524
|
+
type: boolean
|
|
525
|
+
severity:
|
|
526
|
+
description: Severity indicates policy check result criticality
|
|
527
|
+
enum:
|
|
528
|
+
- critical
|
|
529
|
+
- high
|
|
530
|
+
- low
|
|
531
|
+
- medium
|
|
532
|
+
- info
|
|
533
|
+
type: string
|
|
534
|
+
source:
|
|
535
|
+
description: Source is an identifier for the policy engine that
|
|
536
|
+
manages this report
|
|
537
|
+
type: string
|
|
538
|
+
timestamp:
|
|
539
|
+
description: Timestamp indicates the time the result was found
|
|
540
|
+
properties:
|
|
541
|
+
nanos:
|
|
542
|
+
description: Non-negative fractions of a second at nanosecond
|
|
543
|
+
resolution. Negative second values with fractions must still
|
|
544
|
+
have non-negative nanos values that count forward in time.
|
|
545
|
+
Must be from 0 to 999,999,999 inclusive. This field may be
|
|
546
|
+
limited in precision depending on context.
|
|
547
|
+
format: int32
|
|
548
|
+
type: integer
|
|
549
|
+
seconds:
|
|
550
|
+
description: Represents seconds of UTC time since Unix epoch
|
|
551
|
+
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
552
|
+
9999-12-31T23:59:59Z inclusive.
|
|
553
|
+
format: int64
|
|
554
|
+
type: integer
|
|
555
|
+
required:
|
|
556
|
+
- nanos
|
|
557
|
+
- seconds
|
|
558
|
+
type: object
|
|
559
|
+
required:
|
|
560
|
+
- policy
|
|
561
|
+
type: object
|
|
562
|
+
type: array
|
|
563
|
+
scope:
|
|
564
|
+
description: Scope is an optional reference to the report scope (e.g.
|
|
565
|
+
a Deployment, Namespace, or Node)
|
|
566
|
+
properties:
|
|
567
|
+
apiVersion:
|
|
568
|
+
description: API version of the referent.
|
|
569
|
+
type: string
|
|
570
|
+
fieldPath:
|
|
571
|
+
description: 'If referring to a piece of an object instead of an entire
|
|
572
|
+
object, this string should contain a valid JSON/Go field access
|
|
573
|
+
statement, such as desiredState.manifest.containers[2]. For example,
|
|
574
|
+
if the object reference is to a container within a pod, this would
|
|
575
|
+
take on a value like: "spec.containers{name}" (where "name" refers
|
|
576
|
+
to the name of the container that triggered the event) or if no
|
|
577
|
+
container name is specified "spec.containers[2]" (container with
|
|
578
|
+
index 2 in this pod). This syntax is chosen only to have some well-defined
|
|
579
|
+
way of referencing a part of an object. TODO: this design is not
|
|
580
|
+
final and this field is subject to change in the future.'
|
|
581
|
+
type: string
|
|
582
|
+
kind:
|
|
583
|
+
description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
584
|
+
type: string
|
|
585
|
+
name:
|
|
586
|
+
description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
|
|
587
|
+
type: string
|
|
588
|
+
namespace:
|
|
589
|
+
description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
|
|
590
|
+
type: string
|
|
591
|
+
resourceVersion:
|
|
592
|
+
description: "Specific resourceVersion to which this reference is
|
|
593
|
+
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"
|
|
594
|
+
type: string
|
|
595
|
+
uid:
|
|
596
|
+
description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids"
|
|
597
|
+
type: string
|
|
598
|
+
type: object
|
|
599
|
+
scopeSelector:
|
|
600
|
+
description: ScopeSelector is an optional selector for multiple scopes
|
|
601
|
+
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
|
|
602
|
+
should be specified.
|
|
603
|
+
properties:
|
|
604
|
+
matchExpressions:
|
|
605
|
+
description: matchExpressions is a list of label selector requirements.
|
|
606
|
+
The requirements are ANDed.
|
|
607
|
+
items:
|
|
608
|
+
description: A label selector requirement is a selector that contains
|
|
609
|
+
values, a key, and an operator that relates the key and values.
|
|
610
|
+
properties:
|
|
611
|
+
key:
|
|
612
|
+
description: key is the label key that the selector applies
|
|
613
|
+
to.
|
|
614
|
+
type: string
|
|
615
|
+
operator:
|
|
616
|
+
description: operator represents a key's relationship to a set
|
|
617
|
+
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
618
|
+
type: string
|
|
619
|
+
values:
|
|
620
|
+
description: values is an array of string values. If the operator
|
|
621
|
+
is In or NotIn, the values array must be non-empty. If the
|
|
622
|
+
operator is Exists or DoesNotExist, the values array must
|
|
623
|
+
be empty. This array is replaced during a strategic merge
|
|
624
|
+
patch.
|
|
625
|
+
items:
|
|
626
|
+
type: string
|
|
627
|
+
type: array
|
|
628
|
+
required:
|
|
629
|
+
- key
|
|
630
|
+
- operator
|
|
631
|
+
type: object
|
|
632
|
+
type: array
|
|
633
|
+
matchLabels:
|
|
634
|
+
additionalProperties:
|
|
635
|
+
type: string
|
|
636
|
+
description: matchLabels is a map of {key,value} pairs. A single {key,value}
|
|
637
|
+
in the matchLabels map is equivalent to an element of matchExpressions,
|
|
638
|
+
whose key field is "key", the operator is "In", and the values array
|
|
639
|
+
contains only "value". The requirements are ANDed.
|
|
640
|
+
type: object
|
|
641
|
+
type: object
|
|
642
|
+
summary:
|
|
643
|
+
description: PolicyReportSummary provides a summary of results
|
|
644
|
+
properties:
|
|
645
|
+
error:
|
|
646
|
+
description: Error provides the count of policies that could not be
|
|
647
|
+
evaluated
|
|
648
|
+
type: integer
|
|
649
|
+
fail:
|
|
650
|
+
description: Fail provides the count of policies whose requirements
|
|
651
|
+
were not met
|
|
652
|
+
type: integer
|
|
653
|
+
pass:
|
|
654
|
+
description: Pass provides the count of policies whose requirements
|
|
655
|
+
were met
|
|
656
|
+
type: integer
|
|
657
|
+
skip:
|
|
658
|
+
description: Skip indicates the count of policies that were not selected
|
|
659
|
+
for evaluation
|
|
660
|
+
type: integer
|
|
661
|
+
warn:
|
|
662
|
+
description: Warn provides the count of non-scored policies whose
|
|
663
|
+
requirements were not met
|
|
664
|
+
type: integer
|
|
665
|
+
type: object
|
|
666
|
+
type: object
|
|
667
|
+
served: true
|
|
668
|
+
storage: false
|
|
669
|
+
subresources: {}
|
|
670
|
+
- additionalPrinterColumns:
|
|
671
|
+
- jsonPath: .scope.kind
|
|
672
|
+
name: Kind
|
|
673
|
+
priority: 1
|
|
674
|
+
type: string
|
|
675
|
+
- jsonPath: .scope.name
|
|
676
|
+
name: Name
|
|
677
|
+
priority: 1
|
|
678
|
+
type: string
|
|
679
|
+
- jsonPath: .summary.pass
|
|
680
|
+
name: Pass
|
|
681
|
+
type: integer
|
|
682
|
+
- jsonPath: .summary.fail
|
|
683
|
+
name: Fail
|
|
684
|
+
type: integer
|
|
685
|
+
- jsonPath: .summary.warn
|
|
686
|
+
name: Warn
|
|
687
|
+
type: integer
|
|
688
|
+
- jsonPath: .summary.error
|
|
689
|
+
name: Error
|
|
690
|
+
type: integer
|
|
691
|
+
- jsonPath: .summary.skip
|
|
692
|
+
name: Skip
|
|
693
|
+
type: integer
|
|
694
|
+
- jsonPath: .metadata.creationTimestamp
|
|
695
|
+
name: Age
|
|
696
|
+
type: date
|
|
697
|
+
name: v1beta1
|
|
698
|
+
schema:
|
|
699
|
+
openAPIV3Schema:
|
|
700
|
+
description: PolicyReport is the Schema for the policyreports API
|
|
701
|
+
properties:
|
|
702
|
+
apiVersion:
|
|
703
|
+
description: "APIVersion defines the versioned schema of this representation
|
|
704
|
+
of an object. Servers should convert recognized schemas to the latest
|
|
705
|
+
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
|
|
706
|
+
type: string
|
|
707
|
+
kind:
|
|
708
|
+
description: "Kind is a string value representing the REST resource this
|
|
709
|
+
object represents. Servers may infer this from the endpoint the client
|
|
710
|
+
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
711
|
+
type: string
|
|
712
|
+
metadata:
|
|
713
|
+
type: object
|
|
714
|
+
results:
|
|
715
|
+
description: PolicyReportResult provides result details
|
|
716
|
+
items:
|
|
717
|
+
description: PolicyReportResult provides the result for an individual
|
|
718
|
+
policy
|
|
719
|
+
properties:
|
|
720
|
+
category:
|
|
721
|
+
description: Category indicates policy category
|
|
722
|
+
type: string
|
|
723
|
+
message:
|
|
724
|
+
description: Description is a short user friendly message for the
|
|
725
|
+
policy rule
|
|
726
|
+
type: string
|
|
727
|
+
policy:
|
|
728
|
+
description: Policy is the name or identifier of the policy
|
|
729
|
+
type: string
|
|
730
|
+
properties:
|
|
731
|
+
additionalProperties:
|
|
732
|
+
type: string
|
|
733
|
+
description: Properties provides additional information for the
|
|
734
|
+
policy rule
|
|
735
|
+
type: object
|
|
736
|
+
resourceSelector:
|
|
737
|
+
description: SubjectSelector is an optional label selector for checked
|
|
738
|
+
Kubernetes resources. For example, a policy result may apply to
|
|
739
|
+
all pods that match a label. Either a Subject or a SubjectSelector
|
|
740
|
+
can be specified. If neither are provided, the result is assumed
|
|
741
|
+
to be for the policy report scope.
|
|
742
|
+
properties:
|
|
743
|
+
matchExpressions:
|
|
744
|
+
description: matchExpressions is a list of label selector requirements.
|
|
745
|
+
The requirements are ANDed.
|
|
746
|
+
items:
|
|
747
|
+
description: A label selector requirement is a selector that
|
|
748
|
+
contains values, a key, and an operator that relates the
|
|
749
|
+
key and values.
|
|
750
|
+
properties:
|
|
751
|
+
key:
|
|
752
|
+
description: key is the label key that the selector applies
|
|
753
|
+
to.
|
|
754
|
+
type: string
|
|
755
|
+
operator:
|
|
756
|
+
description: operator represents a key's relationship
|
|
757
|
+
to a set of values. Valid operators are In, NotIn, Exists
|
|
758
|
+
and DoesNotExist.
|
|
759
|
+
type: string
|
|
760
|
+
values:
|
|
761
|
+
description: values is an array of string values. If the
|
|
762
|
+
operator is In or NotIn, the values array must be non-empty.
|
|
763
|
+
If the operator is Exists or DoesNotExist, the values
|
|
764
|
+
array must be empty. This array is replaced during a
|
|
765
|
+
strategic merge patch.
|
|
766
|
+
items:
|
|
767
|
+
type: string
|
|
768
|
+
type: array
|
|
769
|
+
required:
|
|
770
|
+
- key
|
|
771
|
+
- operator
|
|
772
|
+
type: object
|
|
773
|
+
type: array
|
|
774
|
+
matchLabels:
|
|
775
|
+
additionalProperties:
|
|
776
|
+
type: string
|
|
777
|
+
description: matchLabels is a map of {key,value} pairs. A single
|
|
778
|
+
{key,value} in the matchLabels map is equivalent to an element
|
|
779
|
+
of matchExpressions, whose key field is "key", the operator
|
|
780
|
+
is "In", and the values array contains only "value". The requirements
|
|
781
|
+
are ANDed.
|
|
782
|
+
type: object
|
|
783
|
+
type: object
|
|
784
|
+
resources:
|
|
785
|
+
description: Subjects is an optional reference to the checked Kubernetes
|
|
786
|
+
resources
|
|
787
|
+
items:
|
|
788
|
+
description: 'ObjectReference contains enough information to let
|
|
789
|
+
you inspect or modify the referred object. --- New uses of this
|
|
790
|
+
type are discouraged because of difficulty describing its usage
|
|
791
|
+
when embedded in APIs. 1. Ignored fields. It includes many
|
|
792
|
+
fields which are not generally honored. For instance, ResourceVersion
|
|
793
|
+
and FieldPath are both very rarely valid in actual usage. 2.
|
|
794
|
+
Invalid usage help. It is impossible to add specific help for
|
|
795
|
+
individual usage. In most embedded usages, there are particular
|
|
796
|
+
restrictions like, "must refer only to types A and B" or "UID
|
|
797
|
+
not honored" or "name must be restricted". Those cannot be well
|
|
798
|
+
described when embedded. 3. Inconsistent validation. Because
|
|
799
|
+
the usages are different, the validation rules are different
|
|
800
|
+
by usage, which makes it hard for users to predict what will
|
|
801
|
+
happen. 4. The fields are both imprecise and overly precise. Kind
|
|
802
|
+
is not a precise mapping to a URL. This can produce ambiguity
|
|
803
|
+
during interpretation and require a REST mapping. In most cases,
|
|
804
|
+
the dependency is on the group,resource tuple and the version
|
|
805
|
+
of the actual struct is irrelevant. 5. We cannot easily change
|
|
806
|
+
it. Because this type is embedded in many locations, updates
|
|
807
|
+
to this type will affect numerous schemas. Don''t make new
|
|
808
|
+
APIs embed an underspecified API type they do not control. Instead
|
|
809
|
+
of using this type, create a locally provided and used type
|
|
810
|
+
that is well-focused on your reference. For example, ServiceReferences
|
|
811
|
+
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
812
|
+
.'
|
|
813
|
+
properties:
|
|
814
|
+
apiVersion:
|
|
815
|
+
description: API version of the referent.
|
|
816
|
+
type: string
|
|
817
|
+
fieldPath:
|
|
818
|
+
description: 'If referring to a piece of an object instead
|
|
819
|
+
of an entire object, this string should contain a valid
|
|
820
|
+
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
821
|
+
For example, if the object reference is to a container within
|
|
822
|
+
a pod, this would take on a value like: "spec.containers{name}"
|
|
823
|
+
(where "name" refers to the name of the container that triggered
|
|
824
|
+
the event) or if no container name is specified "spec.containers[2]"
|
|
825
|
+
(container with index 2 in this pod). This syntax is chosen
|
|
826
|
+
only to have some well-defined way of referencing a part
|
|
827
|
+
of an object. TODO: this design is not final and this field
|
|
828
|
+
is subject to change in the future.'
|
|
829
|
+
type: string
|
|
830
|
+
kind:
|
|
831
|
+
description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
832
|
+
type: string
|
|
833
|
+
name:
|
|
834
|
+
description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
|
|
835
|
+
type: string
|
|
836
|
+
namespace:
|
|
837
|
+
description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
|
|
838
|
+
type: string
|
|
839
|
+
resourceVersion:
|
|
840
|
+
description: "Specific resourceVersion to which this reference
|
|
841
|
+
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"
|
|
842
|
+
type: string
|
|
843
|
+
uid:
|
|
844
|
+
description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids"
|
|
845
|
+
type: string
|
|
846
|
+
type: object
|
|
847
|
+
type: array
|
|
848
|
+
result:
|
|
849
|
+
description: Result indicates the outcome of the policy rule execution
|
|
850
|
+
enum:
|
|
851
|
+
- pass
|
|
852
|
+
- fail
|
|
853
|
+
- warn
|
|
854
|
+
- error
|
|
855
|
+
- skip
|
|
856
|
+
type: string
|
|
857
|
+
rule:
|
|
858
|
+
description: Rule is the name or identifier of the rule within the
|
|
859
|
+
policy
|
|
860
|
+
type: string
|
|
861
|
+
scored:
|
|
862
|
+
description: Scored indicates if this result is scored
|
|
863
|
+
type: boolean
|
|
864
|
+
severity:
|
|
865
|
+
description: Severity indicates policy check result criticality
|
|
866
|
+
enum:
|
|
867
|
+
- critical
|
|
868
|
+
- high
|
|
869
|
+
- low
|
|
870
|
+
- medium
|
|
871
|
+
- info
|
|
872
|
+
type: string
|
|
873
|
+
source:
|
|
874
|
+
description: Source is an identifier for the policy engine that
|
|
875
|
+
manages this report
|
|
876
|
+
type: string
|
|
877
|
+
timestamp:
|
|
878
|
+
description: Timestamp indicates the time the result was found
|
|
879
|
+
properties:
|
|
880
|
+
nanos:
|
|
881
|
+
description: Non-negative fractions of a second at nanosecond
|
|
882
|
+
resolution. Negative second values with fractions must still
|
|
883
|
+
have non-negative nanos values that count forward in time.
|
|
884
|
+
Must be from 0 to 999,999,999 inclusive. This field may be
|
|
885
|
+
limited in precision depending on context.
|
|
886
|
+
format: int32
|
|
887
|
+
type: integer
|
|
888
|
+
seconds:
|
|
889
|
+
description: Represents seconds of UTC time since Unix epoch
|
|
890
|
+
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
891
|
+
9999-12-31T23:59:59Z inclusive.
|
|
892
|
+
format: int64
|
|
893
|
+
type: integer
|
|
894
|
+
required:
|
|
895
|
+
- nanos
|
|
896
|
+
- seconds
|
|
897
|
+
type: object
|
|
898
|
+
required:
|
|
899
|
+
- policy
|
|
900
|
+
type: object
|
|
901
|
+
type: array
|
|
902
|
+
scope:
|
|
903
|
+
description: Scope is an optional reference to the report scope (e.g.
|
|
904
|
+
a Deployment, Namespace, or Node)
|
|
905
|
+
properties:
|
|
906
|
+
apiVersion:
|
|
907
|
+
description: API version of the referent.
|
|
908
|
+
type: string
|
|
909
|
+
fieldPath:
|
|
910
|
+
description: 'If referring to a piece of an object instead of an entire
|
|
911
|
+
object, this string should contain a valid JSON/Go field access
|
|
912
|
+
statement, such as desiredState.manifest.containers[2]. For example,
|
|
913
|
+
if the object reference is to a container within a pod, this would
|
|
914
|
+
take on a value like: "spec.containers{name}" (where "name" refers
|
|
915
|
+
to the name of the container that triggered the event) or if no
|
|
916
|
+
container name is specified "spec.containers[2]" (container with
|
|
917
|
+
index 2 in this pod). This syntax is chosen only to have some well-defined
|
|
918
|
+
way of referencing a part of an object. TODO: this design is not
|
|
919
|
+
final and this field is subject to change in the future.'
|
|
920
|
+
type: string
|
|
921
|
+
kind:
|
|
922
|
+
description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
923
|
+
type: string
|
|
924
|
+
name:
|
|
925
|
+
description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
|
|
926
|
+
type: string
|
|
927
|
+
namespace:
|
|
928
|
+
description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
|
|
929
|
+
type: string
|
|
930
|
+
resourceVersion:
|
|
931
|
+
description: "Specific resourceVersion to which this reference is
|
|
932
|
+
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"
|
|
933
|
+
type: string
|
|
934
|
+
uid:
|
|
935
|
+
description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids"
|
|
936
|
+
type: string
|
|
937
|
+
type: object
|
|
938
|
+
scopeSelector:
|
|
939
|
+
description: ScopeSelector is an optional selector for multiple scopes
|
|
940
|
+
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
|
|
941
|
+
should be specified.
|
|
942
|
+
properties:
|
|
943
|
+
matchExpressions:
|
|
944
|
+
description: matchExpressions is a list of label selector requirements.
|
|
945
|
+
The requirements are ANDed.
|
|
946
|
+
items:
|
|
947
|
+
description: A label selector requirement is a selector that contains
|
|
948
|
+
values, a key, and an operator that relates the key and values.
|
|
949
|
+
properties:
|
|
950
|
+
key:
|
|
951
|
+
description: key is the label key that the selector applies
|
|
952
|
+
to.
|
|
953
|
+
type: string
|
|
954
|
+
operator:
|
|
955
|
+
description: operator represents a key's relationship to a set
|
|
956
|
+
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
957
|
+
type: string
|
|
958
|
+
values:
|
|
959
|
+
description: values is an array of string values. If the operator
|
|
960
|
+
is In or NotIn, the values array must be non-empty. If the
|
|
961
|
+
operator is Exists or DoesNotExist, the values array must
|
|
962
|
+
be empty. This array is replaced during a strategic merge
|
|
963
|
+
patch.
|
|
964
|
+
items:
|
|
965
|
+
type: string
|
|
966
|
+
type: array
|
|
967
|
+
required:
|
|
968
|
+
- key
|
|
969
|
+
- operator
|
|
970
|
+
type: object
|
|
971
|
+
type: array
|
|
972
|
+
matchLabels:
|
|
973
|
+
additionalProperties:
|
|
974
|
+
type: string
|
|
975
|
+
description: matchLabels is a map of {key,value} pairs. A single {key,value}
|
|
976
|
+
in the matchLabels map is equivalent to an element of matchExpressions,
|
|
977
|
+
whose key field is "key", the operator is "In", and the values array
|
|
978
|
+
contains only "value". The requirements are ANDed.
|
|
979
|
+
type: object
|
|
980
|
+
type: object
|
|
981
|
+
summary:
|
|
982
|
+
description: PolicyReportSummary provides a summary of results
|
|
983
|
+
properties:
|
|
984
|
+
error:
|
|
985
|
+
description: Error provides the count of policies that could not be
|
|
986
|
+
evaluated
|
|
987
|
+
type: integer
|
|
988
|
+
fail:
|
|
989
|
+
description: Fail provides the count of policies whose requirements
|
|
990
|
+
were not met
|
|
991
|
+
type: integer
|
|
992
|
+
pass:
|
|
993
|
+
description: Pass provides the count of policies whose requirements
|
|
994
|
+
were met
|
|
995
|
+
type: integer
|
|
996
|
+
skip:
|
|
997
|
+
description: Skip indicates the count of policies that were not selected
|
|
998
|
+
for evaluation
|
|
999
|
+
type: integer
|
|
1000
|
+
warn:
|
|
1001
|
+
description: Warn provides the count of non-scored policies whose
|
|
1002
|
+
requirements were not met
|
|
1003
|
+
type: integer
|
|
1004
|
+
type: object
|
|
1005
|
+
type: object
|
|
1006
|
+
served: true
|
|
1007
|
+
storage: true
|
|
1008
|
+
subresources: {}
|