1/*
2Copyright The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17
18// This file was autogenerated by go-to-protobuf. Do not edit it manually!
19
20syntax = "proto2";
21
22package k8s.io.api.admissionregistration.v1alpha1;
23
24import "k8s.io/api/admissionregistration/v1/generated.proto";
25import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
26import "k8s.io/apimachinery/pkg/runtime/generated.proto";
27import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
28
29// Package-wide variables from generator "generated".
30option go_package = "k8s.io/api/admissionregistration/v1alpha1";
31
32// AuditAnnotation describes how to produce an audit annotation for an API request.
33message AuditAnnotation {
34 // key specifies the audit annotation key. The audit annotation keys of
35 // a ValidatingAdmissionPolicy must be unique. The key must be a qualified
36 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
37 //
38 // The key is combined with the resource name of the
39 // ValidatingAdmissionPolicy to construct an audit annotation key:
40 // "{ValidatingAdmissionPolicy name}/{key}".
41 //
42 // If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
43 // and the same audit annotation key, the annotation key will be identical.
44 // In this case, the first annotation written with the key will be included
45 // in the audit event and all subsequent annotations with the same key
46 // will be discarded.
47 //
48 // Required.
49 optional string key = 1;
50
51 // valueExpression represents the expression which is evaluated by CEL to
52 // produce an audit annotation value. The expression must evaluate to either
53 // a string or null value. If the expression evaluates to a string, the
54 // audit annotation is included with the string value. If the expression
55 // evaluates to null or empty string the audit annotation will be omitted.
56 // The valueExpression may be no longer than 5kb in length.
57 // If the result of the valueExpression is more than 10kb in length, it
58 // will be truncated to 10kb.
59 //
60 // If multiple ValidatingAdmissionPolicyBinding resources match an
61 // API request, then the valueExpression will be evaluated for
62 // each binding. All unique values produced by the valueExpressions
63 // will be joined together in a comma-separated list.
64 //
65 // Required.
66 optional string valueExpression = 2;
67}
68
69// ExpressionWarning is a warning information that targets a specific expression.
70message ExpressionWarning {
71 // The path to the field that refers the expression.
72 // For example, the reference to the expression of the first item of
73 // validations is "spec.validations[0].expression"
74 optional string fieldRef = 2;
75
76 // The content of type checking information in a human-readable form.
77 // Each line of the warning contains the type that the expression is checked
78 // against, followed by the type check error from the compiler.
79 optional string warning = 3;
80}
81
82message MatchCondition {
83 // Name is an identifier for this match condition, used for strategic merging of MatchConditions,
84 // as well as providing an identifier for logging purposes. A good name should be descriptive of
85 // the associated expression.
86 // Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
87 // must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
88 // '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
89 // optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
90 //
91 // Required.
92 optional string name = 1;
93
94 // Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
95 // CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
96 //
97 // 'object' - The object from the incoming request. The value is null for DELETE requests.
98 // 'oldObject' - The existing object. The value is null for CREATE requests.
99 // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
100 // 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
101 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
102 // 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
103 // request resource.
104 // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
105 //
106 // Required.
107 optional string expression = 2;
108}
109
110// MatchResources decides whether to run the admission control policy on an object based
111// on whether it meets the match criteria.
112// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
113// +structType=atomic
114message MatchResources {
115 // NamespaceSelector decides whether to run the admission control policy on an object based
116 // on whether the namespace for that object matches the selector. If the
117 // object itself is a namespace, the matching is performed on
118 // object.metadata.labels. If the object is another cluster scoped resource,
119 // it never skips the policy.
120 //
121 // For example, to run the webhook on any objects whose namespace is not
122 // associated with "runlevel" of "0" or "1"; you will set the selector as
123 // follows:
124 // "namespaceSelector": {
125 // "matchExpressions": [
126 // {
127 // "key": "runlevel",
128 // "operator": "NotIn",
129 // "values": [
130 // "0",
131 // "1"
132 // ]
133 // }
134 // ]
135 // }
136 //
137 // If instead you want to only run the policy on any objects whose
138 // namespace is associated with the "environment" of "prod" or "staging";
139 // you will set the selector as follows:
140 // "namespaceSelector": {
141 // "matchExpressions": [
142 // {
143 // "key": "environment",
144 // "operator": "In",
145 // "values": [
146 // "prod",
147 // "staging"
148 // ]
149 // }
150 // ]
151 // }
152 //
153 // See
154 // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
155 // for more examples of label selectors.
156 //
157 // Default to the empty LabelSelector, which matches everything.
158 // +optional
159 optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 1;
160
161 // ObjectSelector decides whether to run the validation based on if the
162 // object has matching labels. objectSelector is evaluated against both
163 // the oldObject and newObject that would be sent to the cel validation, and
164 // is considered to match if either object matches the selector. A null
165 // object (oldObject in the case of create, or newObject in the case of
166 // delete) or an object that cannot have labels (like a
167 // DeploymentRollback or a PodProxyOptions object) is not considered to
168 // match.
169 // Use the object selector only if the webhook is opt-in, because end
170 // users may skip the admission webhook by setting the labels.
171 // Default to the empty LabelSelector, which matches everything.
172 // +optional
173 optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector objectSelector = 2;
174
175 // ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
176 // The policy cares about an operation if it matches _any_ Rule.
177 // +listType=atomic
178 // +optional
179 repeated NamedRuleWithOperations resourceRules = 3;
180
181 // ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
182 // The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
183 // +listType=atomic
184 // +optional
185 repeated NamedRuleWithOperations excludeResourceRules = 4;
186
187 // matchPolicy defines how the "MatchResources" list is used to match incoming requests.
188 // Allowed values are "Exact" or "Equivalent".
189 //
190 // - Exact: match a request only if it exactly matches a specified rule.
191 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
192 // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
193 // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
194 //
195 // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
196 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
197 // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
198 // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
199 //
200 // Defaults to "Equivalent"
201 // +optional
202 optional string matchPolicy = 7;
203}
204
205// NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
206// +structType=atomic
207message NamedRuleWithOperations {
208 // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
209 // +listType=atomic
210 // +optional
211 repeated string resourceNames = 1;
212
213 // RuleWithOperations is a tuple of Operations and Resources.
214 optional k8s.io.api.admissionregistration.v1.RuleWithOperations ruleWithOperations = 2;
215}
216
217// ParamKind is a tuple of Group Kind and Version.
218// +structType=atomic
219message ParamKind {
220 // APIVersion is the API group version the resources belong to.
221 // In format of "group/version".
222 // Required.
223 optional string apiVersion = 1;
224
225 // Kind is the API kind the resources belong to.
226 // Required.
227 optional string kind = 2;
228}
229
230// ParamRef describes how to locate the params to be used as input to
231// expressions of rules applied by a policy binding.
232// +structType=atomic
233message ParamRef {
234 // `name` is the name of the resource being referenced.
235 //
236 // `name` and `selector` are mutually exclusive properties. If one is set,
237 // the other must be unset.
238 //
239 // +optional
240 optional string name = 1;
241
242 // namespace is the namespace of the referenced resource. Allows limiting
243 // the search for params to a specific namespace. Applies to both `name` and
244 // `selector` fields.
245 //
246 // A per-namespace parameter may be used by specifying a namespace-scoped
247 // `paramKind` in the policy and leaving this field empty.
248 //
249 // - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
250 // field results in a configuration error.
251 //
252 // - If `paramKind` is namespace-scoped, the namespace of the object being
253 // evaluated for admission will be used when this field is left unset. Take
254 // care that if this is left empty the binding must not match any cluster-scoped
255 // resources, which will result in an error.
256 //
257 // +optional
258 optional string namespace = 2;
259
260 // selector can be used to match multiple param objects based on their labels.
261 // Supply selector: {} to match all resources of the ParamKind.
262 //
263 // If multiple params are found, they are all evaluated with the policy expressions
264 // and the results are ANDed together.
265 //
266 // One of `name` or `selector` must be set, but `name` and `selector` are
267 // mutually exclusive properties. If one is set, the other must be unset.
268 //
269 // +optional
270 optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 3;
271
272 // `parameterNotFoundAction` controls the behavior of the binding when the resource
273 // exists, and name or selector is valid, but there are no parameters
274 // matched by the binding. If the value is set to `Allow`, then no
275 // matched parameters will be treated as successful validation by the binding.
276 // If set to `Deny`, then no matched parameters will be subject to the
277 // `failurePolicy` of the policy.
278 //
279 // Allowed values are `Allow` or `Deny`
280 // Default to `Deny`
281 // +optional
282 optional string parameterNotFoundAction = 4;
283}
284
285// TypeChecking contains results of type checking the expressions in the
286// ValidatingAdmissionPolicy
287message TypeChecking {
288 // The type checking warnings for each expression.
289 // +optional
290 // +listType=atomic
291 repeated ExpressionWarning expressionWarnings = 1;
292}
293
294// ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
295message ValidatingAdmissionPolicy {
296 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
297 // +optional
298 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
299
300 // Specification of the desired behavior of the ValidatingAdmissionPolicy.
301 optional ValidatingAdmissionPolicySpec spec = 2;
302
303 // The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
304 // behaves in the expected way.
305 // Populated by the system.
306 // Read-only.
307 // +optional
308 optional ValidatingAdmissionPolicyStatus status = 3;
309}
310
311// ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
312// ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
313//
314// For a given admission request, each binding will cause its policy to be
315// evaluated N times, where N is 1 for policies/bindings that don't use
316// params, otherwise N is the number of parameters selected by the binding.
317//
318// The CEL expressions of a policy must have a computed CEL cost below the maximum
319// CEL budget. Each evaluation of the policy is given an independent CEL cost budget.
320// Adding/removing policies, bindings, or params can not affect whether a
321// given (policy, binding, param) combination is within its own CEL budget.
322message ValidatingAdmissionPolicyBinding {
323 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
324 // +optional
325 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
326
327 // Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.
328 optional ValidatingAdmissionPolicyBindingSpec spec = 2;
329}
330
331// ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.
332message ValidatingAdmissionPolicyBindingList {
333 // Standard list metadata.
334 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
335 // +optional
336 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
337
338 // List of PolicyBinding.
339 repeated ValidatingAdmissionPolicyBinding items = 2;
340}
341
342// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
343message ValidatingAdmissionPolicyBindingSpec {
344 // PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
345 // If the referenced resource does not exist, this binding is considered invalid and will be ignored
346 // Required.
347 optional string policyName = 1;
348
349 // paramRef specifies the parameter resource used to configure the admission control policy.
350 // It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
351 // If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
352 // If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
353 // +optional
354 optional ParamRef paramRef = 2;
355
356 // MatchResources declares what resources match this binding and will be validated by it.
357 // Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
358 // If this is unset, all resources matched by the policy are validated by this binding
359 // When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
360 // Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
361 // +optional
362 optional MatchResources matchResources = 3;
363
364 // validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
365 // If a validation evaluates to false it is always enforced according to these actions.
366 //
367 // Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
368 // to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
369 // ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
370 //
371 // validationActions is declared as a set of action values. Order does
372 // not matter. validationActions may not contain duplicates of the same action.
373 //
374 // The supported actions values are:
375 //
376 // "Deny" specifies that a validation failure results in a denied request.
377 //
378 // "Warn" specifies that a validation failure is reported to the request client
379 // in HTTP Warning headers, with a warning code of 299. Warnings can be sent
380 // both for allowed or denied admission responses.
381 //
382 // "Audit" specifies that a validation failure is included in the published
383 // audit event for the request. The audit event will contain a
384 // `validation.policy.admission.k8s.io/validation_failure` audit annotation
385 // with a value containing the details of the validation failures, formatted as
386 // a JSON list of objects, each with the following fields:
387 // - message: The validation failure message string
388 // - policy: The resource name of the ValidatingAdmissionPolicy
389 // - binding: The resource name of the ValidatingAdmissionPolicyBinding
390 // - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
391 // - validationActions: The enforcement actions enacted for the validation failure
392 // Example audit annotation:
393 // `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
394 //
395 // Clients should expect to handle additional values by ignoring
396 // any values not recognized.
397 //
398 // "Deny" and "Warn" may not be used together since this combination
399 // needlessly duplicates the validation failure both in the
400 // API response body and the HTTP warning headers.
401 //
402 // Required.
403 // +listType=set
404 repeated string validationActions = 4;
405}
406
407// ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.
408message ValidatingAdmissionPolicyList {
409 // Standard list metadata.
410 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
411 // +optional
412 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
413
414 // List of ValidatingAdmissionPolicy.
415 repeated ValidatingAdmissionPolicy items = 2;
416}
417
418// ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
419message ValidatingAdmissionPolicySpec {
420 // ParamKind specifies the kind of resources used to parameterize this policy.
421 // If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
422 // If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
423 // If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
424 // +optional
425 optional ParamKind paramKind = 1;
426
427 // MatchConstraints specifies what resources this policy is designed to validate.
428 // The AdmissionPolicy cares about a request if it matches _all_ Constraints.
429 // However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
430 // ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
431 // Required.
432 optional MatchResources matchConstraints = 2;
433
434 // Validations contain CEL expressions which is used to apply the validation.
435 // Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
436 // required.
437 // +listType=atomic
438 // +optional
439 repeated Validation validations = 3;
440
441 // failurePolicy defines how to handle failures for the admission policy. Failures can
442 // occur from CEL expression parse errors, type check errors, runtime errors and invalid
443 // or mis-configured policy definitions or bindings.
444 //
445 // A policy is invalid if spec.paramKind refers to a non-existent Kind.
446 // A binding is invalid if spec.paramRef.name refers to a non-existent resource.
447 //
448 // failurePolicy does not define how validations that evaluate to false are handled.
449 //
450 // When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
451 // define how failures are enforced.
452 //
453 // Allowed values are Ignore or Fail. Defaults to Fail.
454 // +optional
455 optional string failurePolicy = 4;
456
457 // auditAnnotations contains CEL expressions which are used to produce audit
458 // annotations for the audit event of the API request.
459 // validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
460 // required.
461 // +listType=atomic
462 // +optional
463 repeated AuditAnnotation auditAnnotations = 5;
464
465 // MatchConditions is a list of conditions that must be met for a request to be validated.
466 // Match conditions filter requests that have already been matched by the rules,
467 // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
468 // There are a maximum of 64 match conditions allowed.
469 //
470 // If a parameter object is provided, it can be accessed via the `params` handle in the same
471 // manner as validation expressions.
472 //
473 // The exact matching logic is (in order):
474 // 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
475 // 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
476 // 3. If any matchCondition evaluates to an error (but none are FALSE):
477 // - If failurePolicy=Fail, reject the request
478 // - If failurePolicy=Ignore, the policy is skipped
479 //
480 // +patchMergeKey=name
481 // +patchStrategy=merge
482 // +listType=map
483 // +listMapKey=name
484 // +optional
485 repeated MatchCondition matchConditions = 6;
486
487 // Variables contain definitions of variables that can be used in composition of other expressions.
488 // Each variable is defined as a named CEL expression.
489 // The variables defined here will be available under `variables` in other expressions of the policy
490 // except MatchConditions because MatchConditions are evaluated before the rest of the policy.
491 //
492 // The expression of a variable can refer to other variables defined earlier in the list but not those after.
493 // Thus, Variables must be sorted by the order of first appearance and acyclic.
494 // +patchMergeKey=name
495 // +patchStrategy=merge
496 // +listType=map
497 // +listMapKey=name
498 // +optional
499 repeated Variable variables = 7;
500}
501
502// ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.
503message ValidatingAdmissionPolicyStatus {
504 // The generation observed by the controller.
505 // +optional
506 optional int64 observedGeneration = 1;
507
508 // The results of type checking for each expression.
509 // Presence of this field indicates the completion of the type checking.
510 // +optional
511 optional TypeChecking typeChecking = 2;
512
513 // The conditions represent the latest available observations of a policy's current state.
514 // +optional
515 // +listType=map
516 // +listMapKey=type
517 repeated k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 3;
518}
519
520// Validation specifies the CEL expression which is used to apply the validation.
521message Validation {
522 // Expression represents the expression which will be evaluated by CEL.
523 // ref: https://github.com/google/cel-spec
524 // CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
525 //
526 // - 'object' - The object from the incoming request. The value is null for DELETE requests.
527 // - 'oldObject' - The existing object. The value is null for CREATE requests.
528 // - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
529 // - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
530 // - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
531 // - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
532 // For example, a variable named 'foo' can be accessed as 'variables.foo'.
533 // - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
534 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
535 // - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
536 // request resource.
537 //
538 // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
539 // object. No other metadata properties are accessible.
540 //
541 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
542 // Accessible property names are escaped according to the following rules when accessed in the expression:
543 // - '__' escapes to '__underscores__'
544 // - '.' escapes to '__dot__'
545 // - '-' escapes to '__dash__'
546 // - '/' escapes to '__slash__'
547 // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
548 // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
549 // "import", "let", "loop", "package", "namespace", "return".
550 // Examples:
551 // - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
552 // - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
553 // - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
554 //
555 // Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
556 // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
557 // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
558 // non-intersecting elements in `Y` are appended, retaining their partial order.
559 // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
560 // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
561 // non-intersecting keys are appended, retaining their partial order.
562 // Required.
563 optional string Expression = 1;
564
565 // Message represents the message displayed when validation fails. The message is required if the Expression contains
566 // line breaks. The message must not contain line breaks.
567 // If unset, the message is "failed rule: {Rule}".
568 // e.g. "must be a URL with the host matching spec.host"
569 // If the Expression contains line breaks. Message is required.
570 // The message must not contain line breaks.
571 // If unset, the message is "failed Expression: {Expression}".
572 // +optional
573 optional string message = 2;
574
575 // Reason represents a machine-readable description of why this validation failed.
576 // If this is the first validation in the list to fail, this reason, as well as the
577 // corresponding HTTP response code, are used in the
578 // HTTP response to the client.
579 // The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
580 // If not set, StatusReasonInvalid is used in the response to the client.
581 // +optional
582 optional string reason = 3;
583
584 // messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
585 // Since messageExpression is used as a failure message, it must evaluate to a string.
586 // If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
587 // If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
588 // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
589 // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
590 // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
591 // messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
592 // Example:
593 // "object.x must be less than max ("+string(params.max)+")"
594 // +optional
595 optional string messageExpression = 4;
596}
597
598// Variable is the definition of a variable that is used for composition.
599message Variable {
600 // Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
601 // The variable can be accessed in other expressions through `variables`
602 // For example, if name is "foo", the variable will be available as `variables.foo`
603 optional string Name = 1;
604
605 // Expression is the expression that will be evaluated as the value of the variable.
606 // The CEL expression has access to the same identifiers as the CEL expressions in Validation.
607 optional string Expression = 2;
608}
609
View as plain text