1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1beta1 18 19 import ( 20 v1 "k8s.io/api/admissionregistration/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 ) 23 24 // Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended 25 // to make sure that all the tuple expansions are valid. 26 type Rule = v1.Rule 27 28 // ScopeType specifies a scope for a Rule. 29 type ScopeType = v1.ScopeType 30 31 const ( 32 // ClusterScope means that scope is limited to cluster-scoped objects. 33 // Namespace objects are cluster-scoped. 34 ClusterScope ScopeType = v1.ClusterScope 35 // NamespacedScope means that scope is limited to namespaced objects. 36 NamespacedScope ScopeType = v1.NamespacedScope 37 // AllScopes means that all scopes are included. 38 AllScopes ScopeType = v1.AllScopes 39 ) 40 41 // ParameterNotFoundActionType specifies a failure policy that defines how a binding 42 // is evaluated when the param referred by its perNamespaceParamRef is not found. 43 type ParameterNotFoundActionType string 44 45 const ( 46 // Allow means all requests will be admitted if no param resources 47 // could be found. 48 AllowAction ParameterNotFoundActionType = "Allow" 49 // Deny means all requests will be denied if no param resources are found. 50 DenyAction ParameterNotFoundActionType = "Deny" 51 ) 52 53 // FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. 54 type FailurePolicyType string 55 56 const ( 57 // Ignore means that an error calling the webhook is ignored. 58 Ignore FailurePolicyType = "Ignore" 59 // Fail means that an error calling the webhook causes the admission to fail. 60 Fail FailurePolicyType = "Fail" 61 ) 62 63 // MatchPolicyType specifies the type of match policy 64 type MatchPolicyType string 65 66 const ( 67 // Exact means requests should only be sent to the webhook if they exactly match a given rule 68 Exact MatchPolicyType = "Exact" 69 // Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version. 70 Equivalent MatchPolicyType = "Equivalent" 71 ) 72 73 // SideEffectClass specifies the types of side effects a webhook may have. 74 type SideEffectClass string 75 76 const ( 77 // SideEffectClassUnknown means that no information is known about the side effects of calling the webhook. 78 // If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. 79 SideEffectClassUnknown SideEffectClass = "Unknown" 80 // SideEffectClassNone means that calling the webhook will have no side effects. 81 SideEffectClassNone SideEffectClass = "None" 82 // SideEffectClassSome means that calling the webhook will possibly have side effects. 83 // If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. 84 SideEffectClassSome SideEffectClass = "Some" 85 // SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the 86 // request being reviewed has the dry-run attribute, the side effects will be suppressed. 87 SideEffectClassNoneOnDryRun SideEffectClass = "NoneOnDryRun" 88 ) 89 90 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 91 // +genclient 92 // +genclient:nonNamespaced 93 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 94 // +k8s:prerelease-lifecycle-gen:introduced=1.28 95 // ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it. 96 type ValidatingAdmissionPolicy struct { 97 metav1.TypeMeta `json:",inline"` 98 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. 99 // +optional 100 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 101 // Specification of the desired behavior of the ValidatingAdmissionPolicy. 102 Spec ValidatingAdmissionPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 103 // The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy 104 // behaves in the expected way. 105 // Populated by the system. 106 // Read-only. 107 // +optional 108 Status ValidatingAdmissionPolicyStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` 109 } 110 111 // ValidatingAdmissionPolicyStatus represents the status of an admission validation policy. 112 type ValidatingAdmissionPolicyStatus struct { 113 // The generation observed by the controller. 114 // +optional 115 ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"` 116 // The results of type checking for each expression. 117 // Presence of this field indicates the completion of the type checking. 118 // +optional 119 TypeChecking *TypeChecking `json:"typeChecking,omitempty" protobuf:"bytes,2,opt,name=typeChecking"` 120 // The conditions represent the latest available observations of a policy's current state. 121 // +optional 122 // +listType=map 123 // +listMapKey=type 124 Conditions []metav1.Condition `json:"conditions,omitempty" protobuf:"bytes,3,rep,name=conditions"` 125 } 126 127 // ValidatingAdmissionPolicyConditionType is the condition type of admission validation policy. 128 type ValidatingAdmissionPolicyConditionType string 129 130 // TypeChecking contains results of type checking the expressions in the 131 // ValidatingAdmissionPolicy 132 type TypeChecking struct { 133 // The type checking warnings for each expression. 134 // +optional 135 // +listType=atomic 136 ExpressionWarnings []ExpressionWarning `json:"expressionWarnings,omitempty" protobuf:"bytes,1,rep,name=expressionWarnings"` 137 } 138 139 // ExpressionWarning is a warning information that targets a specific expression. 140 type ExpressionWarning struct { 141 // The path to the field that refers the expression. 142 // For example, the reference to the expression of the first item of 143 // validations is "spec.validations[0].expression" 144 FieldRef string `json:"fieldRef" protobuf:"bytes,2,opt,name=fieldRef"` 145 // The content of type checking information in a human-readable form. 146 // Each line of the warning contains the type that the expression is checked 147 // against, followed by the type check error from the compiler. 148 Warning string `json:"warning" protobuf:"bytes,3,opt,name=warning"` 149 } 150 151 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 152 // +k8s:prerelease-lifecycle-gen:introduced=1.28 153 // ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy. 154 type ValidatingAdmissionPolicyList struct { 155 metav1.TypeMeta `json:",inline"` 156 // Standard list metadata. 157 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 158 // +optional 159 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 160 // List of ValidatingAdmissionPolicy. 161 Items []ValidatingAdmissionPolicy `json:"items,omitempty" protobuf:"bytes,2,rep,name=items"` 162 } 163 164 // ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy. 165 type ValidatingAdmissionPolicySpec struct { 166 // ParamKind specifies the kind of resources used to parameterize this policy. 167 // If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. 168 // If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. 169 // If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null. 170 // +optional 171 ParamKind *ParamKind `json:"paramKind,omitempty" protobuf:"bytes,1,rep,name=paramKind"` 172 173 // MatchConstraints specifies what resources this policy is designed to validate. 174 // The AdmissionPolicy cares about a request if it matches _all_ Constraints. 175 // However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API 176 // ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. 177 // Required. 178 MatchConstraints *MatchResources `json:"matchConstraints,omitempty" protobuf:"bytes,2,rep,name=matchConstraints"` 179 180 // Validations contain CEL expressions which is used to apply the validation. 181 // Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is 182 // required. 183 // +listType=atomic 184 // +optional 185 Validations []Validation `json:"validations,omitempty" protobuf:"bytes,3,rep,name=validations"` 186 187 // failurePolicy defines how to handle failures for the admission policy. Failures can 188 // occur from CEL expression parse errors, type check errors, runtime errors and invalid 189 // or mis-configured policy definitions or bindings. 190 // 191 // A policy is invalid if spec.paramKind refers to a non-existent Kind. 192 // A binding is invalid if spec.paramRef.name refers to a non-existent resource. 193 // 194 // failurePolicy does not define how validations that evaluate to false are handled. 195 // 196 // When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions 197 // define how failures are enforced. 198 // 199 // Allowed values are Ignore or Fail. Defaults to Fail. 200 // +optional 201 FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"` 202 203 // auditAnnotations contains CEL expressions which are used to produce audit 204 // annotations for the audit event of the API request. 205 // validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is 206 // required. 207 // +listType=atomic 208 // +optional 209 AuditAnnotations []AuditAnnotation `json:"auditAnnotations,omitempty" protobuf:"bytes,5,rep,name=auditAnnotations"` 210 211 // MatchConditions is a list of conditions that must be met for a request to be validated. 212 // Match conditions filter requests that have already been matched by the rules, 213 // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. 214 // There are a maximum of 64 match conditions allowed. 215 // 216 // If a parameter object is provided, it can be accessed via the `params` handle in the same 217 // manner as validation expressions. 218 // 219 // The exact matching logic is (in order): 220 // 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 221 // 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 222 // 3. If any matchCondition evaluates to an error (but none are FALSE): 223 // - If failurePolicy=Fail, reject the request 224 // - If failurePolicy=Ignore, the policy is skipped 225 // 226 // +patchMergeKey=name 227 // +patchStrategy=merge 228 // +listType=map 229 // +listMapKey=name 230 // +optional 231 MatchConditions []MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,6,rep,name=matchConditions"` 232 233 // Variables contain definitions of variables that can be used in composition of other expressions. 234 // Each variable is defined as a named CEL expression. 235 // The variables defined here will be available under `variables` in other expressions of the policy 236 // except MatchConditions because MatchConditions are evaluated before the rest of the policy. 237 // 238 // The expression of a variable can refer to other variables defined earlier in the list but not those after. 239 // Thus, Variables must be sorted by the order of first appearance and acyclic. 240 // +patchMergeKey=name 241 // +patchStrategy=merge 242 // +listType=map 243 // +listMapKey=name 244 // +optional 245 Variables []Variable `json:"variables,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,7,rep,name=variables"` 246 } 247 248 // ParamKind is a tuple of Group Kind and Version. 249 // +structType=atomic 250 type ParamKind struct { 251 // APIVersion is the API group version the resources belong to. 252 // In format of "group/version". 253 // Required. 254 APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,1,rep,name=apiVersion"` 255 256 // Kind is the API kind the resources belong to. 257 // Required. 258 Kind string `json:"kind,omitempty" protobuf:"bytes,2,rep,name=kind"` 259 } 260 261 // Validation specifies the CEL expression which is used to apply the validation. 262 type Validation struct { 263 // Expression represents the expression which will be evaluated by CEL. 264 // ref: https://github.com/google/cel-spec 265 // CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables: 266 // 267 // - 'object' - The object from the incoming request. The value is null for DELETE requests. 268 // - 'oldObject' - The existing object. The value is null for CREATE requests. 269 // - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). 270 // - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. 271 // - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. 272 // - 'variables' - Map of composited variables, from its name to its lazily evaluated value. 273 // For example, a variable named 'foo' can be accessed as 'variables.foo'. 274 // - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. 275 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 276 // - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the 277 // request resource. 278 // 279 // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the 280 // object. No other metadata properties are accessible. 281 // 282 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. 283 // Accessible property names are escaped according to the following rules when accessed in the expression: 284 // - '__' escapes to '__underscores__' 285 // - '.' escapes to '__dot__' 286 // - '-' escapes to '__dash__' 287 // - '/' escapes to '__slash__' 288 // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: 289 // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", 290 // "import", "let", "loop", "package", "namespace", "return". 291 // Examples: 292 // - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"} 293 // - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"} 294 // - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"} 295 // 296 // Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. 297 // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type: 298 // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and 299 // non-intersecting elements in `Y` are appended, retaining their partial order. 300 // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values 301 // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with 302 // non-intersecting keys are appended, retaining their partial order. 303 // Required. 304 Expression string `json:"expression" protobuf:"bytes,1,opt,name=Expression"` 305 // Message represents the message displayed when validation fails. The message is required if the Expression contains 306 // line breaks. The message must not contain line breaks. 307 // If unset, the message is "failed rule: {Rule}". 308 // e.g. "must be a URL with the host matching spec.host" 309 // If the Expression contains line breaks. Message is required. 310 // The message must not contain line breaks. 311 // If unset, the message is "failed Expression: {Expression}". 312 // +optional 313 Message string `json:"message,omitempty" protobuf:"bytes,2,opt,name=message"` 314 // Reason represents a machine-readable description of why this validation failed. 315 // If this is the first validation in the list to fail, this reason, as well as the 316 // corresponding HTTP response code, are used in the 317 // HTTP response to the client. 318 // The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". 319 // If not set, StatusReasonInvalid is used in the response to the client. 320 // +optional 321 Reason *metav1.StatusReason `json:"reason,omitempty" protobuf:"bytes,3,opt,name=reason"` 322 // messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. 323 // Since messageExpression is used as a failure message, it must evaluate to a string. 324 // If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. 325 // If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced 326 // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string 327 // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and 328 // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. 329 // messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. 330 // Example: 331 // "object.x must be less than max ("+string(params.max)+")" 332 // +optional 333 MessageExpression string `json:"messageExpression,omitempty" protobuf:"bytes,4,opt,name=messageExpression"` 334 } 335 336 // Variable is the definition of a variable that is used for composition. A variable is defined as a named expression. 337 // +structType=atomic 338 type Variable struct { 339 // Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. 340 // The variable can be accessed in other expressions through `variables` 341 // For example, if name is "foo", the variable will be available as `variables.foo` 342 Name string `json:"name" protobuf:"bytes,1,opt,name=Name"` 343 344 // Expression is the expression that will be evaluated as the value of the variable. 345 // The CEL expression has access to the same identifiers as the CEL expressions in Validation. 346 Expression string `json:"expression" protobuf:"bytes,2,opt,name=Expression"` 347 } 348 349 // AuditAnnotation describes how to produce an audit annotation for an API request. 350 type AuditAnnotation struct { 351 // key specifies the audit annotation key. The audit annotation keys of 352 // a ValidatingAdmissionPolicy must be unique. The key must be a qualified 353 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. 354 // 355 // The key is combined with the resource name of the 356 // ValidatingAdmissionPolicy to construct an audit annotation key: 357 // "{ValidatingAdmissionPolicy name}/{key}". 358 // 359 // If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy 360 // and the same audit annotation key, the annotation key will be identical. 361 // In this case, the first annotation written with the key will be included 362 // in the audit event and all subsequent annotations with the same key 363 // will be discarded. 364 // 365 // Required. 366 Key string `json:"key" protobuf:"bytes,1,opt,name=key"` 367 368 // valueExpression represents the expression which is evaluated by CEL to 369 // produce an audit annotation value. The expression must evaluate to either 370 // a string or null value. If the expression evaluates to a string, the 371 // audit annotation is included with the string value. If the expression 372 // evaluates to null or empty string the audit annotation will be omitted. 373 // The valueExpression may be no longer than 5kb in length. 374 // If the result of the valueExpression is more than 10kb in length, it 375 // will be truncated to 10kb. 376 // 377 // If multiple ValidatingAdmissionPolicyBinding resources match an 378 // API request, then the valueExpression will be evaluated for 379 // each binding. All unique values produced by the valueExpressions 380 // will be joined together in a comma-separated list. 381 // 382 // Required. 383 ValueExpression string `json:"valueExpression" protobuf:"bytes,2,opt,name=valueExpression"` 384 } 385 386 // +genclient 387 // +genclient:nonNamespaced 388 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 389 // +k8s:prerelease-lifecycle-gen:introduced=1.28 390 391 // ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. 392 // ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters. 393 // 394 // For a given admission request, each binding will cause its policy to be 395 // evaluated N times, where N is 1 for policies/bindings that don't use 396 // params, otherwise N is the number of parameters selected by the binding. 397 // 398 // The CEL expressions of a policy must have a computed CEL cost below the maximum 399 // CEL budget. Each evaluation of the policy is given an independent CEL cost budget. 400 // Adding/removing policies, bindings, or params can not affect whether a 401 // given (policy, binding, param) combination is within its own CEL budget. 402 type ValidatingAdmissionPolicyBinding struct { 403 metav1.TypeMeta `json:",inline"` 404 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. 405 // +optional 406 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 407 // Specification of the desired behavior of the ValidatingAdmissionPolicyBinding. 408 Spec ValidatingAdmissionPolicyBindingSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 409 } 410 411 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 412 // +k8s:prerelease-lifecycle-gen:introduced=1.28 413 414 // ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding. 415 type ValidatingAdmissionPolicyBindingList struct { 416 metav1.TypeMeta `json:",inline"` 417 // Standard list metadata. 418 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 419 // +optional 420 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 421 // List of PolicyBinding. 422 Items []ValidatingAdmissionPolicyBinding `json:"items,omitempty" protobuf:"bytes,2,rep,name=items"` 423 } 424 425 // ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding. 426 type ValidatingAdmissionPolicyBindingSpec struct { 427 // PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. 428 // If the referenced resource does not exist, this binding is considered invalid and will be ignored 429 // Required. 430 PolicyName string `json:"policyName,omitempty" protobuf:"bytes,1,rep,name=policyName"` 431 432 // paramRef specifies the parameter resource used to configure the admission control policy. 433 // It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. 434 // If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. 435 // If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param. 436 // +optional 437 ParamRef *ParamRef `json:"paramRef,omitempty" protobuf:"bytes,2,rep,name=paramRef"` 438 439 // MatchResources declares what resources match this binding and will be validated by it. 440 // Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. 441 // If this is unset, all resources matched by the policy are validated by this binding 442 // When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. 443 // Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required. 444 // +optional 445 MatchResources *MatchResources `json:"matchResources,omitempty" protobuf:"bytes,3,rep,name=matchResources"` 446 447 // validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. 448 // If a validation evaluates to false it is always enforced according to these actions. 449 // 450 // Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according 451 // to these actions only if the FailurePolicy is set to Fail, otherwise the failures are 452 // ignored. This includes compilation errors, runtime errors and misconfigurations of the policy. 453 // 454 // validationActions is declared as a set of action values. Order does 455 // not matter. validationActions may not contain duplicates of the same action. 456 // 457 // The supported actions values are: 458 // 459 // "Deny" specifies that a validation failure results in a denied request. 460 // 461 // "Warn" specifies that a validation failure is reported to the request client 462 // in HTTP Warning headers, with a warning code of 299. Warnings can be sent 463 // both for allowed or denied admission responses. 464 // 465 // "Audit" specifies that a validation failure is included in the published 466 // audit event for the request. The audit event will contain a 467 // `validation.policy.admission.k8s.io/validation_failure` audit annotation 468 // with a value containing the details of the validation failures, formatted as 469 // a JSON list of objects, each with the following fields: 470 // - message: The validation failure message string 471 // - policy: The resource name of the ValidatingAdmissionPolicy 472 // - binding: The resource name of the ValidatingAdmissionPolicyBinding 473 // - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy 474 // - validationActions: The enforcement actions enacted for the validation failure 475 // Example audit annotation: 476 // `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"` 477 // 478 // Clients should expect to handle additional values by ignoring 479 // any values not recognized. 480 // 481 // "Deny" and "Warn" may not be used together since this combination 482 // needlessly duplicates the validation failure both in the 483 // API response body and the HTTP warning headers. 484 // 485 // Required. 486 // +listType=set 487 ValidationActions []ValidationAction `json:"validationActions,omitempty" protobuf:"bytes,4,rep,name=validationActions"` 488 } 489 490 // ParamRef describes how to locate the params to be used as input to 491 // expressions of rules applied by a policy binding. 492 // +structType=atomic 493 type ParamRef struct { 494 // name is the name of the resource being referenced. 495 // 496 // One of `name` or `selector` must be set, but `name` and `selector` are 497 // mutually exclusive properties. If one is set, the other must be unset. 498 // 499 // A single parameter used for all admission requests can be configured 500 // by setting the `name` field, leaving `selector` blank, and setting namespace 501 // if `paramKind` is namespace-scoped. 502 // 503 Name string `json:"name,omitempty" protobuf:"bytes,1,rep,name=name"` 504 505 // namespace is the namespace of the referenced resource. Allows limiting 506 // the search for params to a specific namespace. Applies to both `name` and 507 // `selector` fields. 508 // 509 // A per-namespace parameter may be used by specifying a namespace-scoped 510 // `paramKind` in the policy and leaving this field empty. 511 // 512 // - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this 513 // field results in a configuration error. 514 // 515 // - If `paramKind` is namespace-scoped, the namespace of the object being 516 // evaluated for admission will be used when this field is left unset. Take 517 // care that if this is left empty the binding must not match any cluster-scoped 518 // resources, which will result in an error. 519 // 520 // +optional 521 Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,rep,name=namespace"` 522 523 // selector can be used to match multiple param objects based on their labels. 524 // Supply selector: {} to match all resources of the ParamKind. 525 // 526 // If multiple params are found, they are all evaluated with the policy expressions 527 // and the results are ANDed together. 528 // 529 // One of `name` or `selector` must be set, but `name` and `selector` are 530 // mutually exclusive properties. If one is set, the other must be unset. 531 // 532 // +optional 533 Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,3,rep,name=selector"` 534 535 // `parameterNotFoundAction` controls the behavior of the binding when the resource 536 // exists, and name or selector is valid, but there are no parameters 537 // matched by the binding. If the value is set to `Allow`, then no 538 // matched parameters will be treated as successful validation by the binding. 539 // If set to `Deny`, then no matched parameters will be subject to the 540 // `failurePolicy` of the policy. 541 // 542 // Allowed values are `Allow` or `Deny` 543 // 544 // Required 545 ParameterNotFoundAction *ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty" protobuf:"bytes,4,rep,name=parameterNotFoundAction"` 546 } 547 548 // MatchResources decides whether to run the admission control policy on an object based 549 // on whether it meets the match criteria. 550 // The exclude rules take precedence over include rules (if a resource matches both, it is excluded) 551 // +structType=atomic 552 type MatchResources struct { 553 // NamespaceSelector decides whether to run the admission control policy on an object based 554 // on whether the namespace for that object matches the selector. If the 555 // object itself is a namespace, the matching is performed on 556 // object.metadata.labels. If the object is another cluster scoped resource, 557 // it never skips the policy. 558 // 559 // For example, to run the webhook on any objects whose namespace is not 560 // associated with "runlevel" of "0" or "1"; you will set the selector as 561 // follows: 562 // "namespaceSelector": { 563 // "matchExpressions": [ 564 // { 565 // "key": "runlevel", 566 // "operator": "NotIn", 567 // "values": [ 568 // "0", 569 // "1" 570 // ] 571 // } 572 // ] 573 // } 574 // 575 // If instead you want to only run the policy on any objects whose 576 // namespace is associated with the "environment" of "prod" or "staging"; 577 // you will set the selector as follows: 578 // "namespaceSelector": { 579 // "matchExpressions": [ 580 // { 581 // "key": "environment", 582 // "operator": "In", 583 // "values": [ 584 // "prod", 585 // "staging" 586 // ] 587 // } 588 // ] 589 // } 590 // 591 // See 592 // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 593 // for more examples of label selectors. 594 // 595 // Default to the empty LabelSelector, which matches everything. 596 // +optional 597 NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,1,opt,name=namespaceSelector"` 598 // ObjectSelector decides whether to run the validation based on if the 599 // object has matching labels. objectSelector is evaluated against both 600 // the oldObject and newObject that would be sent to the cel validation, and 601 // is considered to match if either object matches the selector. A null 602 // object (oldObject in the case of create, or newObject in the case of 603 // delete) or an object that cannot have labels (like a 604 // DeploymentRollback or a PodProxyOptions object) is not considered to 605 // match. 606 // Use the object selector only if the webhook is opt-in, because end 607 // users may skip the admission webhook by setting the labels. 608 // Default to the empty LabelSelector, which matches everything. 609 // +optional 610 ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,2,opt,name=objectSelector"` 611 // ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. 612 // The policy cares about an operation if it matches _any_ Rule. 613 // +listType=atomic 614 // +optional 615 ResourceRules []NamedRuleWithOperations `json:"resourceRules,omitempty" protobuf:"bytes,3,rep,name=resourceRules"` 616 // ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. 617 // The exclude rules take precedence over include rules (if a resource matches both, it is excluded) 618 // +listType=atomic 619 // +optional 620 ExcludeResourceRules []NamedRuleWithOperations `json:"excludeResourceRules,omitempty" protobuf:"bytes,4,rep,name=excludeResourceRules"` 621 // matchPolicy defines how the "MatchResources" list is used to match incoming requests. 622 // Allowed values are "Exact" or "Equivalent". 623 // 624 // - Exact: match a request only if it exactly matches a specified rule. 625 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 626 // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 627 // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. 628 // 629 // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. 630 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 631 // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 632 // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. 633 // 634 // Defaults to "Equivalent" 635 // +optional 636 MatchPolicy *MatchPolicyType `json:"matchPolicy,omitempty" protobuf:"bytes,7,opt,name=matchPolicy,casttype=MatchPolicyType"` 637 } 638 639 // ValidationAction specifies a policy enforcement action. 640 // +enum 641 type ValidationAction string 642 643 const ( 644 // Deny specifies that a validation failure results in a denied request. 645 Deny ValidationAction = "Deny" 646 // Warn specifies that a validation failure is reported to the request client 647 // in HTTP Warning headers, with a warning code of 299. Warnings can be sent 648 // both for allowed or denied admission responses. 649 Warn ValidationAction = "Warn" 650 // Audit specifies that a validation failure is included in the published 651 // audit event for the request. The audit event will contain a 652 // `validation.policy.admission.k8s.io/validation_failure` audit annotation 653 // with a value containing the details of the validation failure. 654 Audit ValidationAction = "Audit" 655 ) 656 657 // NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames. 658 // +structType=atomic 659 type NamedRuleWithOperations struct { 660 // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. 661 // +listType=atomic 662 // +optional 663 ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,1,rep,name=resourceNames"` 664 // RuleWithOperations is a tuple of Operations and Resources. 665 RuleWithOperations `json:",inline" protobuf:"bytes,2,opt,name=ruleWithOperations"` 666 } 667 668 // +genclient 669 // +genclient:nonNamespaced 670 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 671 // +k8s:prerelease-lifecycle-gen:introduced=1.9 672 // +k8s:prerelease-lifecycle-gen:deprecated=1.16 673 // +k8s:prerelease-lifecycle-gen:removed=1.22 674 // +k8s:prerelease-lifecycle-gen:replacement=admissionregistration.k8s.io,v1,ValidatingWebhookConfiguration 675 676 // ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it. 677 // Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration instead. 678 type ValidatingWebhookConfiguration struct { 679 metav1.TypeMeta `json:",inline"` 680 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. 681 // +optional 682 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 683 // Webhooks is a list of webhooks and the affected resources and operations. 684 // +optional 685 // +patchMergeKey=name 686 // +patchStrategy=merge 687 // +listType=map 688 // +listMapKey=name 689 Webhooks []ValidatingWebhook `json:"webhooks,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,2,rep,name=Webhooks"` 690 } 691 692 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 693 // +k8s:prerelease-lifecycle-gen:introduced=1.9 694 // +k8s:prerelease-lifecycle-gen:deprecated=1.16 695 // +k8s:prerelease-lifecycle-gen:removed=1.22 696 // +k8s:prerelease-lifecycle-gen:replacement=admissionregistration.k8s.io,v1,ValidatingWebhookConfigurationList 697 698 // ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration. 699 type ValidatingWebhookConfigurationList struct { 700 metav1.TypeMeta `json:",inline"` 701 // Standard list metadata. 702 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 703 // +optional 704 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 705 // List of ValidatingWebhookConfiguration. 706 Items []ValidatingWebhookConfiguration `json:"items" protobuf:"bytes,2,rep,name=items"` 707 } 708 709 // +genclient 710 // +genclient:nonNamespaced 711 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 712 // +k8s:prerelease-lifecycle-gen:introduced=1.9 713 // +k8s:prerelease-lifecycle-gen:deprecated=1.16 714 // +k8s:prerelease-lifecycle-gen:removed=1.22 715 // +k8s:prerelease-lifecycle-gen:replacement=admissionregistration.k8s.io,v1,MutatingWebhookConfiguration 716 717 // MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object. 718 // Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration instead. 719 type MutatingWebhookConfiguration struct { 720 metav1.TypeMeta `json:",inline"` 721 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. 722 // +optional 723 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 724 // Webhooks is a list of webhooks and the affected resources and operations. 725 // +optional 726 // +patchMergeKey=name 727 // +patchStrategy=merge 728 // +listType=map 729 // +listMapKey=name 730 Webhooks []MutatingWebhook `json:"webhooks,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,2,rep,name=Webhooks"` 731 } 732 733 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 734 // +k8s:prerelease-lifecycle-gen:introduced=1.9 735 // +k8s:prerelease-lifecycle-gen:deprecated=1.16 736 // +k8s:prerelease-lifecycle-gen:removed=1.22 737 // +k8s:prerelease-lifecycle-gen:replacement=admissionregistration.k8s.io,v1,MutatingWebhookConfigurationList 738 739 // MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration. 740 type MutatingWebhookConfigurationList struct { 741 metav1.TypeMeta `json:",inline"` 742 // Standard list metadata. 743 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 744 // +optional 745 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 746 // List of MutatingWebhookConfiguration. 747 Items []MutatingWebhookConfiguration `json:"items" protobuf:"bytes,2,rep,name=items"` 748 } 749 750 // ValidatingWebhook describes an admission webhook and the resources and operations it applies to. 751 type ValidatingWebhook struct { 752 // The name of the admission webhook. 753 // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where 754 // "imagepolicy" is the name of the webhook, and kubernetes.io is the name 755 // of the organization. 756 // Required. 757 Name string `json:"name" protobuf:"bytes,1,opt,name=name"` 758 759 // ClientConfig defines how to communicate with the hook. 760 // Required 761 ClientConfig WebhookClientConfig `json:"clientConfig" protobuf:"bytes,2,opt,name=clientConfig"` 762 763 // Rules describes what operations on what resources/subresources the webhook cares about. 764 // The webhook cares about an operation if it matches _any_ Rule. 765 // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks 766 // from putting the cluster in a state which cannot be recovered from without completely 767 // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called 768 // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. 769 // +listType=atomic 770 Rules []RuleWithOperations `json:"rules,omitempty" protobuf:"bytes,3,rep,name=rules"` 771 772 // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - 773 // allowed values are Ignore or Fail. Defaults to Ignore. 774 // +optional 775 FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"` 776 777 // matchPolicy defines how the "rules" list is used to match incoming requests. 778 // Allowed values are "Exact" or "Equivalent". 779 // 780 // - Exact: match a request only if it exactly matches a specified rule. 781 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 782 // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 783 // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. 784 // 785 // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. 786 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 787 // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 788 // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. 789 // 790 // Defaults to "Exact" 791 // +optional 792 MatchPolicy *MatchPolicyType `json:"matchPolicy,omitempty" protobuf:"bytes,9,opt,name=matchPolicy,casttype=MatchPolicyType"` 793 794 // NamespaceSelector decides whether to run the webhook on an object based 795 // on whether the namespace for that object matches the selector. If the 796 // object itself is a namespace, the matching is performed on 797 // object.metadata.labels. If the object is another cluster scoped resource, 798 // it never skips the webhook. 799 // 800 // For example, to run the webhook on any objects whose namespace is not 801 // associated with "runlevel" of "0" or "1"; you will set the selector as 802 // follows: 803 // "namespaceSelector": { 804 // "matchExpressions": [ 805 // { 806 // "key": "runlevel", 807 // "operator": "NotIn", 808 // "values": [ 809 // "0", 810 // "1" 811 // ] 812 // } 813 // ] 814 // } 815 // 816 // If instead you want to only run the webhook on any objects whose 817 // namespace is associated with the "environment" of "prod" or "staging"; 818 // you will set the selector as follows: 819 // "namespaceSelector": { 820 // "matchExpressions": [ 821 // { 822 // "key": "environment", 823 // "operator": "In", 824 // "values": [ 825 // "prod", 826 // "staging" 827 // ] 828 // } 829 // ] 830 // } 831 // 832 // See 833 // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels 834 // for more examples of label selectors. 835 // 836 // Default to the empty LabelSelector, which matches everything. 837 // +optional 838 NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,5,opt,name=namespaceSelector"` 839 840 // ObjectSelector decides whether to run the webhook based on if the 841 // object has matching labels. objectSelector is evaluated against both 842 // the oldObject and newObject that would be sent to the webhook, and 843 // is considered to match if either object matches the selector. A null 844 // object (oldObject in the case of create, or newObject in the case of 845 // delete) or an object that cannot have labels (like a 846 // DeploymentRollback or a PodProxyOptions object) is not considered to 847 // match. 848 // Use the object selector only if the webhook is opt-in, because end 849 // users may skip the admission webhook by setting the labels. 850 // Default to the empty LabelSelector, which matches everything. 851 // +optional 852 ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,10,opt,name=objectSelector"` 853 854 // SideEffects states whether this webhook has side effects. 855 // Acceptable values are: Unknown, None, Some, NoneOnDryRun 856 // Webhooks with side effects MUST implement a reconciliation system, since a request may be 857 // rejected by a future step in the admission chain and the side effects therefore need to be undone. 858 // Requests with the dryRun attribute will be auto-rejected if they match a webhook with 859 // sideEffects == Unknown or Some. Defaults to Unknown. 860 // +optional 861 // +listType=atomic 862 SideEffects *SideEffectClass `json:"sideEffects,omitempty" protobuf:"bytes,6,opt,name=sideEffects,casttype=SideEffectClass"` 863 864 // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, 865 // the webhook call will be ignored or the API call will fail based on the 866 // failure policy. 867 // The timeout value must be between 1 and 30 seconds. 868 // Default to 30 seconds. 869 // +optional 870 TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty" protobuf:"varint,7,opt,name=timeoutSeconds"` 871 872 // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` 873 // versions the Webhook expects. API server will try to use first version in 874 // the list which it supports. If none of the versions specified in this list 875 // supported by API server, validation will fail for this object. 876 // If a persisted webhook configuration specifies allowed versions and does not 877 // include any versions known to the API Server, calls to the webhook will fail 878 // and be subject to the failure policy. 879 // Default to `['v1beta1']`. 880 // +optional 881 // +listType=atomic 882 AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty" protobuf:"bytes,8,rep,name=admissionReviewVersions"` 883 884 // MatchConditions is a list of conditions that must be met for a request to be sent to this 885 // webhook. Match conditions filter requests that have already been matched by the rules, 886 // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. 887 // There are a maximum of 64 match conditions allowed. 888 // 889 // The exact matching logic is (in order): 890 // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. 891 // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. 892 // 3. If any matchCondition evaluates to an error (but none are FALSE): 893 // - If failurePolicy=Fail, reject the request 894 // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped 895 // 896 // +patchMergeKey=name 897 // +patchStrategy=merge 898 // +listType=map 899 // +listMapKey=name 900 // +optional 901 MatchConditions []MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,11,rep,name=matchConditions"` 902 } 903 904 // MutatingWebhook describes an admission webhook and the resources and operations it applies to. 905 type MutatingWebhook struct { 906 // The name of the admission webhook. 907 // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where 908 // "imagepolicy" is the name of the webhook, and kubernetes.io is the name 909 // of the organization. 910 // Required. 911 Name string `json:"name" protobuf:"bytes,1,opt,name=name"` 912 913 // ClientConfig defines how to communicate with the hook. 914 // Required 915 ClientConfig WebhookClientConfig `json:"clientConfig" protobuf:"bytes,2,opt,name=clientConfig"` 916 917 // Rules describes what operations on what resources/subresources the webhook cares about. 918 // The webhook cares about an operation if it matches _any_ Rule. 919 // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks 920 // from putting the cluster in a state which cannot be recovered from without completely 921 // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called 922 // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. 923 // +listType=atomic 924 Rules []RuleWithOperations `json:"rules,omitempty" protobuf:"bytes,3,rep,name=rules"` 925 926 // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - 927 // allowed values are Ignore or Fail. Defaults to Ignore. 928 // +optional 929 FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"` 930 931 // matchPolicy defines how the "rules" list is used to match incoming requests. 932 // Allowed values are "Exact" or "Equivalent". 933 // 934 // - Exact: match a request only if it exactly matches a specified rule. 935 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 936 // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 937 // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. 938 // 939 // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. 940 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 941 // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 942 // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. 943 // 944 // Defaults to "Exact" 945 // +optional 946 MatchPolicy *MatchPolicyType `json:"matchPolicy,omitempty" protobuf:"bytes,9,opt,name=matchPolicy,casttype=MatchPolicyType"` 947 948 // NamespaceSelector decides whether to run the webhook on an object based 949 // on whether the namespace for that object matches the selector. If the 950 // object itself is a namespace, the matching is performed on 951 // object.metadata.labels. If the object is another cluster scoped resource, 952 // it never skips the webhook. 953 // 954 // For example, to run the webhook on any objects whose namespace is not 955 // associated with "runlevel" of "0" or "1"; you will set the selector as 956 // follows: 957 // "namespaceSelector": { 958 // "matchExpressions": [ 959 // { 960 // "key": "runlevel", 961 // "operator": "NotIn", 962 // "values": [ 963 // "0", 964 // "1" 965 // ] 966 // } 967 // ] 968 // } 969 // 970 // If instead you want to only run the webhook on any objects whose 971 // namespace is associated with the "environment" of "prod" or "staging"; 972 // you will set the selector as follows: 973 // "namespaceSelector": { 974 // "matchExpressions": [ 975 // { 976 // "key": "environment", 977 // "operator": "In", 978 // "values": [ 979 // "prod", 980 // "staging" 981 // ] 982 // } 983 // ] 984 // } 985 // 986 // See 987 // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 988 // for more examples of label selectors. 989 // 990 // Default to the empty LabelSelector, which matches everything. 991 // +optional 992 NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,5,opt,name=namespaceSelector"` 993 994 // ObjectSelector decides whether to run the webhook based on if the 995 // object has matching labels. objectSelector is evaluated against both 996 // the oldObject and newObject that would be sent to the webhook, and 997 // is considered to match if either object matches the selector. A null 998 // object (oldObject in the case of create, or newObject in the case of 999 // delete) or an object that cannot have labels (like a 1000 // DeploymentRollback or a PodProxyOptions object) is not considered to 1001 // match. 1002 // Use the object selector only if the webhook is opt-in, because end 1003 // users may skip the admission webhook by setting the labels. 1004 // Default to the empty LabelSelector, which matches everything. 1005 // +optional 1006 ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,11,opt,name=objectSelector"` 1007 1008 // SideEffects states whether this webhook has side effects. 1009 // Acceptable values are: Unknown, None, Some, NoneOnDryRun 1010 // Webhooks with side effects MUST implement a reconciliation system, since a request may be 1011 // rejected by a future step in the admission chain and the side effects therefore need to be undone. 1012 // Requests with the dryRun attribute will be auto-rejected if they match a webhook with 1013 // sideEffects == Unknown or Some. Defaults to Unknown. 1014 // +optional 1015 SideEffects *SideEffectClass `json:"sideEffects,omitempty" protobuf:"bytes,6,opt,name=sideEffects,casttype=SideEffectClass"` 1016 1017 // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, 1018 // the webhook call will be ignored or the API call will fail based on the 1019 // failure policy. 1020 // The timeout value must be between 1 and 30 seconds. 1021 // Default to 30 seconds. 1022 // +optional 1023 TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty" protobuf:"varint,7,opt,name=timeoutSeconds"` 1024 1025 // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` 1026 // versions the Webhook expects. API server will try to use first version in 1027 // the list which it supports. If none of the versions specified in this list 1028 // supported by API server, validation will fail for this object. 1029 // If a persisted webhook configuration specifies allowed versions and does not 1030 // include any versions known to the API Server, calls to the webhook will fail 1031 // and be subject to the failure policy. 1032 // Default to `['v1beta1']`. 1033 // +optional 1034 // +listType=atomic 1035 AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty" protobuf:"bytes,8,rep,name=admissionReviewVersions"` 1036 1037 // reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. 1038 // Allowed values are "Never" and "IfNeeded". 1039 // 1040 // Never: the webhook will not be called more than once in a single admission evaluation. 1041 // 1042 // IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation 1043 // if the object being admitted is modified by other admission plugins after the initial webhook call. 1044 // Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. 1045 // Note: 1046 // * the number of additional invocations is not guaranteed to be exactly one. 1047 // * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. 1048 // * webhooks that use this option may be reordered to minimize the number of additional invocations. 1049 // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. 1050 // 1051 // Defaults to "Never". 1052 // +optional 1053 ReinvocationPolicy *ReinvocationPolicyType `json:"reinvocationPolicy,omitempty" protobuf:"bytes,10,opt,name=reinvocationPolicy,casttype=ReinvocationPolicyType"` 1054 1055 // MatchConditions is a list of conditions that must be met for a request to be sent to this 1056 // webhook. Match conditions filter requests that have already been matched by the rules, 1057 // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. 1058 // There are a maximum of 64 match conditions allowed. 1059 // 1060 // The exact matching logic is (in order): 1061 // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. 1062 // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. 1063 // 3. If any matchCondition evaluates to an error (but none are FALSE): 1064 // - If failurePolicy=Fail, reject the request 1065 // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped 1066 // 1067 // +patchMergeKey=name 1068 // +patchStrategy=merge 1069 // +listType=map 1070 // +listMapKey=name 1071 // +optional 1072 MatchConditions []MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,12,rep,name=matchConditions"` 1073 } 1074 1075 // ReinvocationPolicyType specifies what type of policy the admission hook uses. 1076 type ReinvocationPolicyType string 1077 1078 const ( 1079 // NeverReinvocationPolicy indicates that the webhook must not be called more than once in a 1080 // single admission evaluation. 1081 NeverReinvocationPolicy ReinvocationPolicyType = "Never" 1082 // IfNeededReinvocationPolicy indicates that the webhook may be called at least one 1083 // additional time as part of the admission evaluation if the object being admitted is 1084 // modified by other admission plugins after the initial webhook call. 1085 IfNeededReinvocationPolicy ReinvocationPolicyType = "IfNeeded" 1086 ) 1087 1088 // RuleWithOperations is a tuple of Operations and Resources. It is recommended to make 1089 // sure that all the tuple expansions are valid. 1090 type RuleWithOperations = v1.RuleWithOperations 1091 1092 // OperationType specifies an operation for a request. 1093 // +enum 1094 type OperationType = v1.OperationType 1095 1096 // The constants should be kept in sync with those defined in k8s.io/kubernetes/pkg/admission/interface.go. 1097 const ( 1098 OperationAll OperationType = v1.OperationAll 1099 Create OperationType = v1.Create 1100 Update OperationType = v1.Update 1101 Delete OperationType = v1.Delete 1102 Connect OperationType = v1.Connect 1103 ) 1104 1105 // WebhookClientConfig contains the information to make a TLS 1106 // connection with the webhook 1107 type WebhookClientConfig struct { 1108 // `url` gives the location of the webhook, in standard URL form 1109 // (`scheme://host:port/path`). Exactly one of `url` or `service` 1110 // must be specified. 1111 // 1112 // The `host` should not refer to a service running in the cluster; use 1113 // the `service` field instead. The host might be resolved via external 1114 // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve 1115 // in-cluster DNS as that would be a layering violation). `host` may 1116 // also be an IP address. 1117 // 1118 // Please note that using `localhost` or `127.0.0.1` as a `host` is 1119 // risky unless you take great care to run this webhook on all hosts 1120 // which run an apiserver which might need to make calls to this 1121 // webhook. Such installs are likely to be non-portable, i.e., not easy 1122 // to turn up in a new cluster. 1123 // 1124 // The scheme must be "https"; the URL must begin with "https://". 1125 // 1126 // A path is optional, and if present may be any string permissible in 1127 // a URL. You may use the path to pass an arbitrary string to the 1128 // webhook, for example, a cluster identifier. 1129 // 1130 // Attempting to use a user or basic auth e.g. "user:password@" is not 1131 // allowed. Fragments ("#...") and query parameters ("?...") are not 1132 // allowed, either. 1133 // 1134 // +optional 1135 URL *string `json:"url,omitempty" protobuf:"bytes,3,opt,name=url"` 1136 1137 // `service` is a reference to the service for this webhook. Either 1138 // `service` or `url` must be specified. 1139 // 1140 // If the webhook is running within the cluster, then you should use `service`. 1141 // 1142 // +optional 1143 Service *ServiceReference `json:"service,omitempty" protobuf:"bytes,1,opt,name=service"` 1144 1145 // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. 1146 // If unspecified, system trust roots on the apiserver are used. 1147 // +optional 1148 CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,2,opt,name=caBundle"` 1149 } 1150 1151 // ServiceReference holds a reference to Service.legacy.k8s.io 1152 type ServiceReference struct { 1153 // `namespace` is the namespace of the service. 1154 // Required 1155 Namespace string `json:"namespace" protobuf:"bytes,1,opt,name=namespace"` 1156 // `name` is the name of the service. 1157 // Required 1158 Name string `json:"name" protobuf:"bytes,2,opt,name=name"` 1159 1160 // `path` is an optional URL path which will be sent in any request to 1161 // this service. 1162 // +optional 1163 Path *string `json:"path,omitempty" protobuf:"bytes,3,opt,name=path"` 1164 1165 // If specified, the port on the service that hosting webhook. 1166 // Default to 443 for backward compatibility. 1167 // `port` should be a valid port number (1-65535, inclusive). 1168 // +optional 1169 Port *int32 `json:"port,omitempty" protobuf:"varint,4,opt,name=port"` 1170 } 1171 1172 // MatchCondition represents a condition which must be fulfilled for a request to be sent to a webhook. 1173 type MatchCondition struct { 1174 // Name is an identifier for this match condition, used for strategic merging of MatchConditions, 1175 // as well as providing an identifier for logging purposes. A good name should be descriptive of 1176 // the associated expression. 1177 // Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and 1178 // must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or 1179 // '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an 1180 // optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') 1181 // 1182 // Required. 1183 Name string `json:"name" protobuf:"bytes,1,opt,name=name"` 1184 1185 // Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. 1186 // CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: 1187 // 1188 // 'object' - The object from the incoming request. The value is null for DELETE requests. 1189 // 'oldObject' - The existing object. The value is null for CREATE requests. 1190 // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 1191 // 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. 1192 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 1193 // 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the 1194 // request resource. 1195 // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ 1196 // 1197 // Required. 1198 Expression string `json:"expression" protobuf:"bytes,2,opt,name=expression"` 1199 } 1200