1 /* 2 Copyright 2022 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1alpha1 18 19 import ( 20 v1 "k8s.io/api/admissionregistration/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 ) 23 24 // Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended 25 // to make sure that all the tuple expansions are valid. 26 type Rule = v1.Rule 27 28 // ScopeType specifies a scope for a Rule. 29 // +enum 30 type ScopeType = v1.ScopeType 31 32 const ( 33 // ClusterScope means that scope is limited to cluster-scoped objects. 34 // Namespace objects are cluster-scoped. 35 ClusterScope ScopeType = v1.ClusterScope 36 // NamespacedScope means that scope is limited to namespaced objects. 37 NamespacedScope ScopeType = v1.NamespacedScope 38 // AllScopes means that all scopes are included. 39 AllScopes ScopeType = v1.AllScopes 40 ) 41 42 // ParameterNotFoundActionType specifies a failure policy that defines how a binding 43 // is evaluated when the param referred by its perNamespaceParamRef is not found. 44 // +enum 45 type ParameterNotFoundActionType string 46 47 const ( 48 // Ignore means that an error finding params for a binding is ignored 49 AllowAction ParameterNotFoundActionType = "Allow" 50 // Fail means that an error finding params for a binding is ignored 51 DenyAction ParameterNotFoundActionType = "Deny" 52 ) 53 54 // FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. 55 // +enum 56 type FailurePolicyType string 57 58 const ( 59 // Ignore means that an error calling the webhook is ignored. 60 Ignore FailurePolicyType = "Ignore" 61 // Fail means that an error calling the webhook causes the admission to fail. 62 Fail FailurePolicyType = "Fail" 63 ) 64 65 // MatchPolicyType specifies the type of match policy. 66 // +enum 67 type MatchPolicyType string 68 69 const ( 70 // Exact means requests should only be sent to the webhook if they exactly match a given rule. 71 Exact MatchPolicyType = "Exact" 72 // Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version. 73 Equivalent MatchPolicyType = "Equivalent" 74 ) 75 76 // +genclient 77 // +genclient:nonNamespaced 78 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 79 // +k8s:prerelease-lifecycle-gen:introduced=1.26 80 81 // ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it. 82 type ValidatingAdmissionPolicy struct { 83 metav1.TypeMeta `json:",inline"` 84 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. 85 // +optional 86 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 87 // Specification of the desired behavior of the ValidatingAdmissionPolicy. 88 Spec ValidatingAdmissionPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 89 // The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy 90 // behaves in the expected way. 91 // Populated by the system. 92 // Read-only. 93 // +optional 94 Status ValidatingAdmissionPolicyStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` 95 } 96 97 // ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy. 98 type ValidatingAdmissionPolicyStatus struct { 99 // The generation observed by the controller. 100 // +optional 101 ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"` 102 // The results of type checking for each expression. 103 // Presence of this field indicates the completion of the type checking. 104 // +optional 105 TypeChecking *TypeChecking `json:"typeChecking,omitempty" protobuf:"bytes,2,opt,name=typeChecking"` 106 // The conditions represent the latest available observations of a policy's current state. 107 // +optional 108 // +listType=map 109 // +listMapKey=type 110 Conditions []metav1.Condition `json:"conditions,omitempty" protobuf:"bytes,3,rep,name=conditions"` 111 } 112 113 // TypeChecking contains results of type checking the expressions in the 114 // ValidatingAdmissionPolicy 115 type TypeChecking struct { 116 // The type checking warnings for each expression. 117 // +optional 118 // +listType=atomic 119 ExpressionWarnings []ExpressionWarning `json:"expressionWarnings,omitempty" protobuf:"bytes,1,rep,name=expressionWarnings"` 120 } 121 122 // ExpressionWarning is a warning information that targets a specific expression. 123 type ExpressionWarning struct { 124 // The path to the field that refers the expression. 125 // For example, the reference to the expression of the first item of 126 // validations is "spec.validations[0].expression" 127 FieldRef string `json:"fieldRef" protobuf:"bytes,2,opt,name=fieldRef"` 128 // The content of type checking information in a human-readable form. 129 // Each line of the warning contains the type that the expression is checked 130 // against, followed by the type check error from the compiler. 131 Warning string `json:"warning" protobuf:"bytes,3,opt,name=warning"` 132 } 133 134 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 135 // +k8s:prerelease-lifecycle-gen:introduced=1.26 136 137 // ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy. 138 type ValidatingAdmissionPolicyList struct { 139 metav1.TypeMeta `json:",inline"` 140 // Standard list metadata. 141 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 142 // +optional 143 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 144 // List of ValidatingAdmissionPolicy. 145 Items []ValidatingAdmissionPolicy `json:"items,omitempty" protobuf:"bytes,2,rep,name=items"` 146 } 147 148 // ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy. 149 type ValidatingAdmissionPolicySpec struct { 150 // ParamKind specifies the kind of resources used to parameterize this policy. 151 // If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. 152 // If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. 153 // If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null. 154 // +optional 155 ParamKind *ParamKind `json:"paramKind,omitempty" protobuf:"bytes,1,rep,name=paramKind"` 156 157 // MatchConstraints specifies what resources this policy is designed to validate. 158 // The AdmissionPolicy cares about a request if it matches _all_ Constraints. 159 // However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API 160 // ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. 161 // Required. 162 MatchConstraints *MatchResources `json:"matchConstraints,omitempty" protobuf:"bytes,2,rep,name=matchConstraints"` 163 164 // Validations contain CEL expressions which is used to apply the validation. 165 // Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is 166 // required. 167 // +listType=atomic 168 // +optional 169 Validations []Validation `json:"validations,omitempty" protobuf:"bytes,3,rep,name=validations"` 170 171 // failurePolicy defines how to handle failures for the admission policy. Failures can 172 // occur from CEL expression parse errors, type check errors, runtime errors and invalid 173 // or mis-configured policy definitions or bindings. 174 // 175 // A policy is invalid if spec.paramKind refers to a non-existent Kind. 176 // A binding is invalid if spec.paramRef.name refers to a non-existent resource. 177 // 178 // failurePolicy does not define how validations that evaluate to false are handled. 179 // 180 // When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions 181 // define how failures are enforced. 182 // 183 // Allowed values are Ignore or Fail. Defaults to Fail. 184 // +optional 185 FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"` 186 187 // auditAnnotations contains CEL expressions which are used to produce audit 188 // annotations for the audit event of the API request. 189 // validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is 190 // required. 191 // +listType=atomic 192 // +optional 193 AuditAnnotations []AuditAnnotation `json:"auditAnnotations,omitempty" protobuf:"bytes,5,rep,name=auditAnnotations"` 194 195 // MatchConditions is a list of conditions that must be met for a request to be validated. 196 // Match conditions filter requests that have already been matched by the rules, 197 // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. 198 // There are a maximum of 64 match conditions allowed. 199 // 200 // If a parameter object is provided, it can be accessed via the `params` handle in the same 201 // manner as validation expressions. 202 // 203 // The exact matching logic is (in order): 204 // 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 205 // 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 206 // 3. If any matchCondition evaluates to an error (but none are FALSE): 207 // - If failurePolicy=Fail, reject the request 208 // - If failurePolicy=Ignore, the policy is skipped 209 // 210 // +patchMergeKey=name 211 // +patchStrategy=merge 212 // +listType=map 213 // +listMapKey=name 214 // +optional 215 MatchConditions []MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,6,rep,name=matchConditions"` 216 217 // Variables contain definitions of variables that can be used in composition of other expressions. 218 // Each variable is defined as a named CEL expression. 219 // The variables defined here will be available under `variables` in other expressions of the policy 220 // except MatchConditions because MatchConditions are evaluated before the rest of the policy. 221 // 222 // The expression of a variable can refer to other variables defined earlier in the list but not those after. 223 // Thus, Variables must be sorted by the order of first appearance and acyclic. 224 // +patchMergeKey=name 225 // +patchStrategy=merge 226 // +listType=map 227 // +listMapKey=name 228 // +optional 229 Variables []Variable `json:"variables,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,7,rep,name=variables"` 230 } 231 232 type MatchCondition v1.MatchCondition 233 234 // ParamKind is a tuple of Group Kind and Version. 235 // +structType=atomic 236 type ParamKind struct { 237 // APIVersion is the API group version the resources belong to. 238 // In format of "group/version". 239 // Required. 240 APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,1,rep,name=apiVersion"` 241 242 // Kind is the API kind the resources belong to. 243 // Required. 244 Kind string `json:"kind,omitempty" protobuf:"bytes,2,rep,name=kind"` 245 } 246 247 // Validation specifies the CEL expression which is used to apply the validation. 248 type Validation struct { 249 // Expression represents the expression which will be evaluated by CEL. 250 // ref: https://github.com/google/cel-spec 251 // CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables: 252 // 253 // - 'object' - The object from the incoming request. The value is null for DELETE requests. 254 // - 'oldObject' - The existing object. The value is null for CREATE requests. 255 // - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). 256 // - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. 257 // - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. 258 // - 'variables' - Map of composited variables, from its name to its lazily evaluated value. 259 // For example, a variable named 'foo' can be accessed as 'variables.foo'. 260 // - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. 261 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 262 // - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the 263 // request resource. 264 // 265 // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the 266 // object. No other metadata properties are accessible. 267 // 268 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. 269 // Accessible property names are escaped according to the following rules when accessed in the expression: 270 // - '__' escapes to '__underscores__' 271 // - '.' escapes to '__dot__' 272 // - '-' escapes to '__dash__' 273 // - '/' escapes to '__slash__' 274 // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: 275 // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", 276 // "import", "let", "loop", "package", "namespace", "return". 277 // Examples: 278 // - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"} 279 // - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"} 280 // - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"} 281 // 282 // Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. 283 // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type: 284 // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and 285 // non-intersecting elements in `Y` are appended, retaining their partial order. 286 // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values 287 // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with 288 // non-intersecting keys are appended, retaining their partial order. 289 // Required. 290 Expression string `json:"expression" protobuf:"bytes,1,opt,name=Expression"` 291 // Message represents the message displayed when validation fails. The message is required if the Expression contains 292 // line breaks. The message must not contain line breaks. 293 // If unset, the message is "failed rule: {Rule}". 294 // e.g. "must be a URL with the host matching spec.host" 295 // If the Expression contains line breaks. Message is required. 296 // The message must not contain line breaks. 297 // If unset, the message is "failed Expression: {Expression}". 298 // +optional 299 Message string `json:"message,omitempty" protobuf:"bytes,2,opt,name=message"` 300 // Reason represents a machine-readable description of why this validation failed. 301 // If this is the first validation in the list to fail, this reason, as well as the 302 // corresponding HTTP response code, are used in the 303 // HTTP response to the client. 304 // The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". 305 // If not set, StatusReasonInvalid is used in the response to the client. 306 // +optional 307 Reason *metav1.StatusReason `json:"reason,omitempty" protobuf:"bytes,3,opt,name=reason"` 308 // messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. 309 // Since messageExpression is used as a failure message, it must evaluate to a string. 310 // If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. 311 // If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced 312 // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string 313 // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and 314 // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. 315 // messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. 316 // Example: 317 // "object.x must be less than max ("+string(params.max)+")" 318 // +optional 319 MessageExpression string `json:"messageExpression,omitempty" protobuf:"bytes,4,opt,name=messageExpression"` 320 } 321 322 // Variable is the definition of a variable that is used for composition. 323 type Variable struct { 324 // Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. 325 // The variable can be accessed in other expressions through `variables` 326 // For example, if name is "foo", the variable will be available as `variables.foo` 327 Name string `json:"name" protobuf:"bytes,1,opt,name=Name"` 328 329 // Expression is the expression that will be evaluated as the value of the variable. 330 // The CEL expression has access to the same identifiers as the CEL expressions in Validation. 331 Expression string `json:"expression" protobuf:"bytes,2,opt,name=Expression"` 332 } 333 334 // AuditAnnotation describes how to produce an audit annotation for an API request. 335 type AuditAnnotation struct { 336 // key specifies the audit annotation key. The audit annotation keys of 337 // a ValidatingAdmissionPolicy must be unique. The key must be a qualified 338 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. 339 // 340 // The key is combined with the resource name of the 341 // ValidatingAdmissionPolicy to construct an audit annotation key: 342 // "{ValidatingAdmissionPolicy name}/{key}". 343 // 344 // If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy 345 // and the same audit annotation key, the annotation key will be identical. 346 // In this case, the first annotation written with the key will be included 347 // in the audit event and all subsequent annotations with the same key 348 // will be discarded. 349 // 350 // Required. 351 Key string `json:"key" protobuf:"bytes,1,opt,name=key"` 352 353 // valueExpression represents the expression which is evaluated by CEL to 354 // produce an audit annotation value. The expression must evaluate to either 355 // a string or null value. If the expression evaluates to a string, the 356 // audit annotation is included with the string value. If the expression 357 // evaluates to null or empty string the audit annotation will be omitted. 358 // The valueExpression may be no longer than 5kb in length. 359 // If the result of the valueExpression is more than 10kb in length, it 360 // will be truncated to 10kb. 361 // 362 // If multiple ValidatingAdmissionPolicyBinding resources match an 363 // API request, then the valueExpression will be evaluated for 364 // each binding. All unique values produced by the valueExpressions 365 // will be joined together in a comma-separated list. 366 // 367 // Required. 368 ValueExpression string `json:"valueExpression" protobuf:"bytes,2,opt,name=valueExpression"` 369 } 370 371 // +genclient 372 // +genclient:nonNamespaced 373 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 374 // +k8s:prerelease-lifecycle-gen:introduced=1.26 375 376 // ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. 377 // ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters. 378 // 379 // For a given admission request, each binding will cause its policy to be 380 // evaluated N times, where N is 1 for policies/bindings that don't use 381 // params, otherwise N is the number of parameters selected by the binding. 382 // 383 // The CEL expressions of a policy must have a computed CEL cost below the maximum 384 // CEL budget. Each evaluation of the policy is given an independent CEL cost budget. 385 // Adding/removing policies, bindings, or params can not affect whether a 386 // given (policy, binding, param) combination is within its own CEL budget. 387 type ValidatingAdmissionPolicyBinding struct { 388 metav1.TypeMeta `json:",inline"` 389 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. 390 // +optional 391 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 392 // Specification of the desired behavior of the ValidatingAdmissionPolicyBinding. 393 Spec ValidatingAdmissionPolicyBindingSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 394 } 395 396 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 397 // +k8s:prerelease-lifecycle-gen:introduced=1.26 398 399 // ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding. 400 type ValidatingAdmissionPolicyBindingList struct { 401 metav1.TypeMeta `json:",inline"` 402 // Standard list metadata. 403 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 404 // +optional 405 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 406 // List of PolicyBinding. 407 Items []ValidatingAdmissionPolicyBinding `json:"items,omitempty" protobuf:"bytes,2,rep,name=items"` 408 } 409 410 // ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding. 411 type ValidatingAdmissionPolicyBindingSpec struct { 412 // PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. 413 // If the referenced resource does not exist, this binding is considered invalid and will be ignored 414 // Required. 415 PolicyName string `json:"policyName,omitempty" protobuf:"bytes,1,rep,name=policyName"` 416 417 // paramRef specifies the parameter resource used to configure the admission control policy. 418 // It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. 419 // If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. 420 // If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param. 421 // +optional 422 ParamRef *ParamRef `json:"paramRef,omitempty" protobuf:"bytes,2,rep,name=paramRef"` 423 424 // MatchResources declares what resources match this binding and will be validated by it. 425 // Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. 426 // If this is unset, all resources matched by the policy are validated by this binding 427 // When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. 428 // Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required. 429 // +optional 430 MatchResources *MatchResources `json:"matchResources,omitempty" protobuf:"bytes,3,rep,name=matchResources"` 431 432 // validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. 433 // If a validation evaluates to false it is always enforced according to these actions. 434 // 435 // Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according 436 // to these actions only if the FailurePolicy is set to Fail, otherwise the failures are 437 // ignored. This includes compilation errors, runtime errors and misconfigurations of the policy. 438 // 439 // validationActions is declared as a set of action values. Order does 440 // not matter. validationActions may not contain duplicates of the same action. 441 // 442 // The supported actions values are: 443 // 444 // "Deny" specifies that a validation failure results in a denied request. 445 // 446 // "Warn" specifies that a validation failure is reported to the request client 447 // in HTTP Warning headers, with a warning code of 299. Warnings can be sent 448 // both for allowed or denied admission responses. 449 // 450 // "Audit" specifies that a validation failure is included in the published 451 // audit event for the request. The audit event will contain a 452 // `validation.policy.admission.k8s.io/validation_failure` audit annotation 453 // with a value containing the details of the validation failures, formatted as 454 // a JSON list of objects, each with the following fields: 455 // - message: The validation failure message string 456 // - policy: The resource name of the ValidatingAdmissionPolicy 457 // - binding: The resource name of the ValidatingAdmissionPolicyBinding 458 // - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy 459 // - validationActions: The enforcement actions enacted for the validation failure 460 // Example audit annotation: 461 // `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"` 462 // 463 // Clients should expect to handle additional values by ignoring 464 // any values not recognized. 465 // 466 // "Deny" and "Warn" may not be used together since this combination 467 // needlessly duplicates the validation failure both in the 468 // API response body and the HTTP warning headers. 469 // 470 // Required. 471 // +listType=set 472 ValidationActions []ValidationAction `json:"validationActions,omitempty" protobuf:"bytes,4,rep,name=validationActions"` 473 } 474 475 // ParamRef describes how to locate the params to be used as input to 476 // expressions of rules applied by a policy binding. 477 // +structType=atomic 478 type ParamRef struct { 479 // `name` is the name of the resource being referenced. 480 // 481 // `name` and `selector` are mutually exclusive properties. If one is set, 482 // the other must be unset. 483 // 484 // +optional 485 Name string `json:"name,omitempty" protobuf:"bytes,1,rep,name=name"` 486 487 // namespace is the namespace of the referenced resource. Allows limiting 488 // the search for params to a specific namespace. Applies to both `name` and 489 // `selector` fields. 490 // 491 // A per-namespace parameter may be used by specifying a namespace-scoped 492 // `paramKind` in the policy and leaving this field empty. 493 // 494 // - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this 495 // field results in a configuration error. 496 // 497 // - If `paramKind` is namespace-scoped, the namespace of the object being 498 // evaluated for admission will be used when this field is left unset. Take 499 // care that if this is left empty the binding must not match any cluster-scoped 500 // resources, which will result in an error. 501 // 502 // +optional 503 Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,rep,name=namespace"` 504 505 // selector can be used to match multiple param objects based on their labels. 506 // Supply selector: {} to match all resources of the ParamKind. 507 // 508 // If multiple params are found, they are all evaluated with the policy expressions 509 // and the results are ANDed together. 510 // 511 // One of `name` or `selector` must be set, but `name` and `selector` are 512 // mutually exclusive properties. If one is set, the other must be unset. 513 // 514 // +optional 515 Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,3,rep,name=selector"` 516 517 // `parameterNotFoundAction` controls the behavior of the binding when the resource 518 // exists, and name or selector is valid, but there are no parameters 519 // matched by the binding. If the value is set to `Allow`, then no 520 // matched parameters will be treated as successful validation by the binding. 521 // If set to `Deny`, then no matched parameters will be subject to the 522 // `failurePolicy` of the policy. 523 // 524 // Allowed values are `Allow` or `Deny` 525 // Default to `Deny` 526 // +optional 527 ParameterNotFoundAction *ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty" protobuf:"bytes,4,rep,name=parameterNotFoundAction"` 528 } 529 530 // MatchResources decides whether to run the admission control policy on an object based 531 // on whether it meets the match criteria. 532 // The exclude rules take precedence over include rules (if a resource matches both, it is excluded) 533 // +structType=atomic 534 type MatchResources struct { 535 // NamespaceSelector decides whether to run the admission control policy on an object based 536 // on whether the namespace for that object matches the selector. If the 537 // object itself is a namespace, the matching is performed on 538 // object.metadata.labels. If the object is another cluster scoped resource, 539 // it never skips the policy. 540 // 541 // For example, to run the webhook on any objects whose namespace is not 542 // associated with "runlevel" of "0" or "1"; you will set the selector as 543 // follows: 544 // "namespaceSelector": { 545 // "matchExpressions": [ 546 // { 547 // "key": "runlevel", 548 // "operator": "NotIn", 549 // "values": [ 550 // "0", 551 // "1" 552 // ] 553 // } 554 // ] 555 // } 556 // 557 // If instead you want to only run the policy on any objects whose 558 // namespace is associated with the "environment" of "prod" or "staging"; 559 // you will set the selector as follows: 560 // "namespaceSelector": { 561 // "matchExpressions": [ 562 // { 563 // "key": "environment", 564 // "operator": "In", 565 // "values": [ 566 // "prod", 567 // "staging" 568 // ] 569 // } 570 // ] 571 // } 572 // 573 // See 574 // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 575 // for more examples of label selectors. 576 // 577 // Default to the empty LabelSelector, which matches everything. 578 // +optional 579 NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,1,opt,name=namespaceSelector"` 580 // ObjectSelector decides whether to run the validation based on if the 581 // object has matching labels. objectSelector is evaluated against both 582 // the oldObject and newObject that would be sent to the cel validation, and 583 // is considered to match if either object matches the selector. A null 584 // object (oldObject in the case of create, or newObject in the case of 585 // delete) or an object that cannot have labels (like a 586 // DeploymentRollback or a PodProxyOptions object) is not considered to 587 // match. 588 // Use the object selector only if the webhook is opt-in, because end 589 // users may skip the admission webhook by setting the labels. 590 // Default to the empty LabelSelector, which matches everything. 591 // +optional 592 ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,2,opt,name=objectSelector"` 593 // ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. 594 // The policy cares about an operation if it matches _any_ Rule. 595 // +listType=atomic 596 // +optional 597 ResourceRules []NamedRuleWithOperations `json:"resourceRules,omitempty" protobuf:"bytes,3,rep,name=resourceRules"` 598 // ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. 599 // The exclude rules take precedence over include rules (if a resource matches both, it is excluded) 600 // +listType=atomic 601 // +optional 602 ExcludeResourceRules []NamedRuleWithOperations `json:"excludeResourceRules,omitempty" protobuf:"bytes,4,rep,name=excludeResourceRules"` 603 // matchPolicy defines how the "MatchResources" list is used to match incoming requests. 604 // Allowed values are "Exact" or "Equivalent". 605 // 606 // - Exact: match a request only if it exactly matches a specified rule. 607 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 608 // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 609 // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. 610 // 611 // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. 612 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 613 // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 614 // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. 615 // 616 // Defaults to "Equivalent" 617 // +optional 618 MatchPolicy *MatchPolicyType `json:"matchPolicy,omitempty" protobuf:"bytes,7,opt,name=matchPolicy,casttype=MatchPolicyType"` 619 } 620 621 // ValidationAction specifies a policy enforcement action. 622 // +enum 623 type ValidationAction string 624 625 const ( 626 // Deny specifies that a validation failure results in a denied request. 627 Deny ValidationAction = "Deny" 628 // Warn specifies that a validation failure is reported to the request client 629 // in HTTP Warning headers, with a warning code of 299. Warnings can be sent 630 // both for allowed or denied admission responses. 631 Warn ValidationAction = "Warn" 632 // Audit specifies that a validation failure is included in the published 633 // audit event for the request. The audit event will contain a 634 // `validation.policy.admission.k8s.io/validation_failure` audit annotation 635 // with a value containing the details of the validation failure. 636 Audit ValidationAction = "Audit" 637 ) 638 639 // NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames. 640 // +structType=atomic 641 type NamedRuleWithOperations struct { 642 // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. 643 // +listType=atomic 644 // +optional 645 ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,1,rep,name=resourceNames"` 646 // RuleWithOperations is a tuple of Operations and Resources. 647 RuleWithOperations `json:",inline" protobuf:"bytes,2,opt,name=ruleWithOperations"` 648 } 649 650 // RuleWithOperations is a tuple of Operations and Resources. It is recommended to make 651 // sure that all the tuple expansions are valid. 652 type RuleWithOperations = v1.RuleWithOperations 653 654 // OperationType specifies an operation for a request. 655 // +enum 656 type OperationType = v1.OperationType 657 658 // The constants should be kept in sync with those defined in k8s.io/kubernetes/pkg/admission/interface.go. 659 const ( 660 OperationAll OperationType = v1.OperationAll 661 Create OperationType = v1.Create 662 Update OperationType = v1.Update 663 Delete OperationType = v1.Delete 664 Connect OperationType = v1.Connect 665 ) 666