The Space API describes the types and parameters for the core Space components.
true
One
processing stops after a rule has
been applied i.e. the rule matches and results in a pass, fail, or error. When
set to All
all rules in the policy are processed. The default is All
.true
GetFailurePolicy()
should be used.
Allowed values are Ignore or Fail. Defaults to Fail.Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
‘object’ - The object from the incoming request. The value is null for DELETE requests. ‘oldObject’ - The existing object. The value is null for CREATE requests. ‘request’ - Attributes of the admission request(https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest). ‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz ‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, ‘-’, ‘’ or ‘.’, and must start and end with an alphanumeric character (e.g. ‘MyName’, or ‘my.name’, or ‘123-abc’, regex used for validation is ‘([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]’) with an optional DNS subdomain prefix and ‘/’ (e.g. ’example.com/MyName’)
Required.
kubectl get --raw
command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.matchLabels
.
wildcard characters are not supported.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.matchLabels
support the wildcard characters *
(matches zero or many characters)
and ?
(matches one character).Wildcards allows writing label selectors like
[‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but
does not match an empty label set.matchLabels
support the wildcard
characters *
(matches zero or many characters) and ?
(matches one character).
Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that
using [’’ : ‘’] matches any key and value but does not match an empty label set.kubectl get --raw
command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.any
or all
statements.
See: https://kyverno.io/docs/writing-policies/preconditions/kubectl get --raw
command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.any
or all
statements. A direct list
of conditions (without any
or all
statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/any
or all
statements. A direct list
of conditions (without any
or all
statements is supported for backwards compatibility but
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/true
key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: ‘{ValidatingAdmissionPolicy name}/{key}’.
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.
Required.
valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.
If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.
Required.
Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
- ‘object’ - The object from the incoming request. The value is null for DELETE requests.
- ‘oldObject’ - The existing object. The value is null for CREATE requests.
- ‘request’ - Attributes of the API request(ref).
- ‘params’ - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
- ’namespaceObject’ - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
- ‘variables’ - Map of composited variables, from its name to its lazily evaluated value. For example, a variable named ‘foo’ can be accessed as ‘variables.foo’.
- ‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- ‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the request resource.
The apiVersion
, kind
, metadata.name
and metadata.generateName
are always accessible from the root of the
object. No other metadata properties are accessible.
Only property names of the form [a-zA-Z_.-/][a-zA-Z0-9_.-/]*
are accessible.
Accessible property names are escaped according to the following rules when accessed in the expression:
- ‘__’ escapes to ‘underscores’
- ‘.’ escapes to ‘dot’
- ‘-’ escapes to ‘dash’
- ‘/’ escapes to ‘slash’
- Property names that exactly match a CEL RESERVED keyword escape to ‘{keyword}’. The keywords are:
’true’, ‘false’, ’null’, ‘in’, ‘as’, ‘break’, ‘const’, ‘continue’, ’else’, ‘for’, ‘function’, ‘if’,
‘import’, ’let’, ’loop’, ‘package’, ’namespace’, ‘return’.
Examples:
- Expression accessing a property named ’namespace’: {‘Expression’: ‘object.namespace > 0’}
- Expression accessing a property named ‘x-prop’: {‘Expression’: ‘object.x__dash__prop > 0’}
- Expression accessing a property named ‘redact__d’: {‘Expression’: ‘object.redact__underscores__d > 0’}
Equality on arrays with list type of ‘set’ or ‘map’ ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
- ‘set’:
X + Y
performs a union where the array positions of all elements inX
are preserved and non-intersecting elements inY
are appended, retaining their partial order. - ‘map’:
X + Y
performs a merge where the array positions of all keys inX
are preserved but the values are overwritten by values inY
when the key sets ofX
andY
intersect. Elements inY
with non-intersecting keys are appended, retaining their partial order. Required.
expression
except for ‘authorizer’ and ‘authorizer.requestResource’.
Example:
‘object.x must be less than max (’+string(params.max)+’)’name
is the name of the resource being referenced.
name
and selector
are mutually exclusive properties. If one is set,
the other must be unset.
namespace is the namespace of the referenced resource. Allows limiting
the search for params to a specific namespace. Applies to both name
and
selector
fields.
A per-namespace parameter may be used by specifying a namespace-scoped
paramKind
in the policy and leaving this field empty.
If
paramKind
is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.If
paramKind
is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.
parameterNotFoundAction
controls the behavior of the binding when the resource
exists, and name or selector is valid, but there are no parameters
matched by the binding. If the value is set to Allow
, then no
matched parameters will be treated as successful validation by the binding.
If set to Deny
, then no matched parameters will be subject to the
failurePolicy
of the policy.
Allowed values are Allow
or Deny
Default to Deny
selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.
If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.
One of name
or selector
must be set, but name
and selector
are
mutually exclusive properties. If one is set, the other must be unset.
variables
in other expressions of the policy.any
or all
statement. A direct list
of conditions (without any
or all
statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-ruleskubectl get --raw
command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.any
or all
statement. A direct list
of conditions (without any
or all
statements) is also supported for backwards compatibility
but will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/validate/#deny-rulesany
or all
statements.
See: https://kyverno.io/docs/writing-policies/preconditions/cosign.pub
containing the public key used for
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each key is processed as a separate staticKey entry
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.cosign.pub
containing the public key used for
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each key is processed as a separate staticKey entry
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.cosign.pub
containing the public key used for
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each key is processed as a separate staticKey entry
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.Audit
type of condition in CamelCase or in foo.example.com/CamelCase.
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
map[channel:Stable]
Stable
Channel defines the upgrade channels for Crossplane. We support the following channels where ‘Stable’ is the default:
- None: disables auto-upgrades and keeps the control plane at its current version of Crossplane.
- Patch: automatically upgrades the control plane to the latest supported patch version when it becomes available while keeping the minor version the same.
- Stable: automatically upgrades the control plane to the latest supported patch release on minor version N-1, where N is the latest supported minor version.
- Rapid: automatically upgrades the cluster to the latest supported patch release on the latest supported minor version.
Running
State defines the state for crossplane and provider workloads. We support the following states where ‘Running’ is the default:
- Running: Starts/Scales up all crossplane and provider workloads in the ControlPlane
- Paused: Pauses/Scales down all crossplane and provider workloads in the ControlPlane
Delete
[*]
PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
Deprecated: Use Hub or Upbound identities instead.
map[name:default]
Annotations are the annotations to be added to connection secret.
- For Kubernetes secrets, this will be used as ‘metadata.annotations’.
- It is up to Secret Store implementation for others store types.
WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
If omitted, it is defaulted to the namespace of the ControlPlane. Deprecated: Use Hub or Upbound identities instead.
RollBack
None
1h
map[creationPolicy:Owner deletionPolicy:Retain]
Owner
Retain
storeRef
fields.
The secret store configuration including referenced credential are not leaked into the
ControlPlanes and in that sense can be called secure as they are invisible to the
ControlPlane workloads.token
is the default. If one is not specified, the one bound to
the controller will be used.ServicePrincipal
Auth type defines how to authenticate to the keyvault service. Valid values are:
- ‘ServicePrincipal’ (default): Using a service principal (tenantId, clientId, clientSecret)
- ‘ManagedIdentity’: Using Managed Identity assigned to the pod (see aad-pod-identity)
PublicCloud
TokenRequest
API.key
field must be specified and denotes which entry within the Secret
resource is used as the app role id.key
field must be specified and denotes which entry within the Secret
resource is used as the app role secret.TokenRequest
API.serviceAccountRef
.
Defaults to a single audience vault
it not specified.
Deprecated: use serviceAccountRef.Audiences insteadserviceAccountRef
.
Deprecated: this will be removed in the future.
Defaults to 10 minutes.kubernetes
token
is the default. If one is not specified, the one bound to
the controller will be used.