Skip to content

Commit

Permalink
Merge pull request kubewarden#428 from viccuad/main
Browse files Browse the repository at this point in the history 
feat: Update reference/CRDs.md for matchConditions
  • Loading branch information
@jvanz
jvanz authored Jul 25, 2024
2 parents f5daa58 + 7153750 commit 74f1ac5
Showing 1 changed file with 21 additions and 19 deletions.
40 changes: 21 additions & 19 deletions docs/reference/CRDs.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,15 +29,12 @@ Be careful Does yarn build work locally?
# API Reference

## Packages

- [policies.kubewarden.io/v1](#policieskubewardeniov1)
- [policies.kubewarden.io/v1alpha2](#policieskubewardeniov1alpha2)


## policies.kubewarden.io/v1



Package v1 contains API Schema definitions for the policies v1 API group

### Resource Types
Expand Down Expand Up @@ -71,7 +68,7 @@ _Appears in:_



AdmissionPolicyList contains a list of AdmissionPolicy
AdmissionPolicyList contains a list of AdmissionPolicy.



Expand All @@ -87,7 +84,7 @@ AdmissionPolicyList contains a list of AdmissionPolicy



AdmissionPolicySpec defines the desired state of AdmissionPolicy
AdmissionPolicySpec defines the desired state of AdmissionPolicy.

_Appears in:_
- [AdmissionPolicy](#admissionpolicy)
Expand All @@ -103,6 +100,7 @@ _Appears in:_
| `mutating` _boolean_ | Mutating indicates whether a policy has the ability to mutate incoming requests or not. |
| `backgroundAudit` _boolean_ | BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true". |
| `matchPolicy` _[MatchPolicyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchpolicytype-v1-admissionregistration)_ | matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". <ul> <li> Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. </li> <li> Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. </li> </ul> Defaults to "Equivalent" |
| `matchConditions` _[MatchCondition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchcondition-v1-admissionregistration) array_ | MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped Only available if the feature gate AdmissionWebhookMatchConditions is enabled. |
| `objectSelector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#labelselector-v1-meta)_ | ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. |
| `sideEffects` _[SideEffectClass](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#sideeffectclass-v1-admissionregistration)_ | SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. |
| `timeoutSeconds` _integer_ | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds. |
Expand Down Expand Up @@ -145,7 +143,7 @@ ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy



ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy
ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.

_Appears in:_
- [ClusterAdmissionPolicy](#clusteradmissionpolicy)
Expand All @@ -161,6 +159,7 @@ _Appears in:_
| `mutating` _boolean_ | Mutating indicates whether a policy has the ability to mutate incoming requests or not. |
| `backgroundAudit` _boolean_ | BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true". |
| `matchPolicy` _[MatchPolicyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchpolicytype-v1-admissionregistration)_ | matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". <ul> <li> Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. </li> <li> Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. </li> </ul> Defaults to "Equivalent" |
| `matchConditions` _[MatchCondition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchcondition-v1-admissionregistration) array_ | MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped Only available if the feature gate AdmissionWebhookMatchConditions is enabled. |
| `objectSelector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#labelselector-v1-meta)_ | ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. |
| `sideEffects` _[SideEffectClass](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#sideeffectclass-v1-admissionregistration)_ | SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. |
| `timeoutSeconds` _integer_ | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds. |
Expand All @@ -172,7 +171,7 @@ _Appears in:_



ContextAwareResource identifies a Kubernetes resource
ContextAwareResource identifies a Kubernetes resource.

_Appears in:_
- [ClusterAdmissionPolicySpec](#clusteradmissionpolicyspec)
Expand Down Expand Up @@ -213,7 +212,7 @@ _Appears in:_



PolicyServer is the Schema for the policyservers API
PolicyServer is the Schema for the policyservers API.

_Appears in:_
- [PolicyServerList](#policyserverlist)
Expand All @@ -230,7 +229,7 @@ _Appears in:_



PolicyServerList contains a list of PolicyServer
PolicyServerList contains a list of PolicyServer.



Expand All @@ -246,7 +245,7 @@ PolicyServerList contains a list of PolicyServer



PolicyServerSecurity defines securityContext configuration to be used in the Policy Server workload
PolicyServerSecurity defines securityContext configuration to be used in the Policy Server workload.

_Appears in:_
- [PolicyServerSpec](#policyserverspec)
Expand All @@ -261,7 +260,7 @@ _Appears in:_



PolicyServerSpec defines the desired state of PolicyServer
PolicyServerSpec defines the desired state of PolicyServer.

_Appears in:_
- [PolicyServer](#policyserver)
Expand All @@ -270,8 +269,8 @@ _Appears in:_
| --- | --- |
| `image` _string_ | Docker image name. |
| `replicas` _integer_ | Replicas is the number of desired replicas. |
| `minAvailable` _IntOrString_ | Number of policy server replicas that must be still available after the eviction |
| `maxUnavailable` _IntOrString_ | Number of policy server replicas that can be unavailable after the eviction |
| `minAvailable` _IntOrString_ | Number of policy server replicas that must be still available after the eviction. The value can be an absolute number or a percentage. Only one of MinAvailable or Max MaxUnavailable can be set. |
| `maxUnavailable` _IntOrString_ | Number of policy server replicas that can be unavailable after the eviction. The value can be an absolute number or a percentage. Only one of MinAvailable or Max MaxUnavailable can be set. |
| `annotations` _object (keys:string, values:string)_ | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations |
| `env` _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#envvar-v1-core) array_ | List of environment variables to set in the container. |
| `serviceAccountName` _string_ | Name of the service account associated with the policy server. Namespace service account will be used if not specified. |
Expand All @@ -283,6 +282,7 @@ _Appears in:_
| `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#affinity-v1-core)_ | Affinity rules for the associated Policy Server pods. |
| `limits` _object (keys:[ResourceName](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcename-v1-core), values:Quantity)_ | Limits describes the maximum amount of compute resources allowed. |
| `requests` _object (keys:[ResourceName](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#resourcename-v1-core), values:Quantity)_ | Requests describes the minimum amount of compute resources required. If Request is omitted for, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value |
| `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#toleration-v1-core) array_ | Tolerations describe the policy server pod's tolerations. It can be used to ensure that the policy server pod is not scheduled onto a node with a taint. |



Expand All @@ -308,6 +308,7 @@ _Appears in:_
| `mutating` _boolean_ | Mutating indicates whether a policy has the ability to mutate incoming requests or not. |
| `backgroundAudit` _boolean_ | BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true". |
| `matchPolicy` _[MatchPolicyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchpolicytype-v1-admissionregistration)_ | matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". <ul> <li> Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. </li> <li> Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. </li> </ul> Defaults to "Equivalent" |
| `matchConditions` _[MatchCondition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchcondition-v1-admissionregistration) array_ | MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped Only available if the feature gate AdmissionWebhookMatchConditions is enabled. |
| `objectSelector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#labelselector-v1-meta)_ | ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. |
| `sideEffects` _[SideEffectClass](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#sideeffectclass-v1-admissionregistration)_ | SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. |
| `timeoutSeconds` _integer_ | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds. |
Expand Down Expand Up @@ -362,7 +363,7 @@ _Appears in:_



AdmissionPolicyList contains a list of AdmissionPolicy
AdmissionPolicyList contains a list of AdmissionPolicy.



Expand All @@ -378,7 +379,7 @@ AdmissionPolicyList contains a list of AdmissionPolicy



AdmissionPolicySpec defines the desired state of AdmissionPolicy
AdmissionPolicySpec defines the desired state of AdmissionPolicy.

_Appears in:_
- [AdmissionPolicy](#admissionpolicy)
Expand Down Expand Up @@ -435,7 +436,7 @@ ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy



ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy
ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.

_Appears in:_
- [ClusterAdmissionPolicy](#clusteradmissionpolicy)
Expand Down Expand Up @@ -486,7 +487,7 @@ _Appears in:_



PolicyServer is the Schema for the policyservers API
PolicyServer is the Schema for the policyservers API.

_Appears in:_
- [PolicyServerList](#policyserverlist)
Expand All @@ -503,7 +504,7 @@ _Appears in:_



PolicyServerList contains a list of PolicyServer
PolicyServerList contains a list of PolicyServer.



Expand All @@ -519,7 +520,7 @@ PolicyServerList contains a list of PolicyServer



PolicyServerSpec defines the desired state of PolicyServer
PolicyServerSpec defines the desired state of PolicyServer.

_Appears in:_
- [PolicyServer](#policyserver)
Expand Down Expand Up @@ -576,3 +577,4 @@ _Appears in:_
- [PolicyStatus](#policystatus)



0 comments on commit 74f1ac5

Please sign in to comment.