1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package admissionregistration 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 ) 22 23 // Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended 24 // to make sure that all the tuple expansions are valid. 25 type Rule struct { 26 // APIGroups is the API groups the resources belong to. '*' is all groups. 27 // If '*' is present, the length of the slice must be one. 28 // Required. 29 APIGroups []string 30 31 // APIVersions is the API versions the resources belong to. '*' is all versions. 32 // If '*' is present, the length of the slice must be one. 33 // Required. 34 APIVersions []string 35 36 // Resources is a list of resources this rule applies to. 37 // 38 // For example: 39 // 'pods' means pods. 40 // 'pods/log' means the log subresource of pods. 41 // '*' means all resources, but not subresources. 42 // 'pods/*' means all subresources of pods. 43 // '*/scale' means all scale subresources. 44 // '*/*' means all resources and their subresources. 45 // 46 // If wildcard is present, the validation rule will ensure resources do not 47 // overlap with each other. 48 // 49 // Depending on the enclosing object, subresources might not be allowed. 50 // Required. 51 Resources []string 52 53 // scope specifies the scope of this rule. 54 // Valid values are "Cluster", "Namespaced", and "*" 55 // "Cluster" means that only cluster-scoped resources will match this rule. 56 // Namespace API objects are cluster-scoped. 57 // "Namespaced" means that only namespaced resources will match this rule. 58 // "*" means that there are no scope restrictions. 59 // Subresources match the scope of their parent resource. 60 // Default is "*". 61 // 62 // +optional 63 Scope *ScopeType 64 } 65 66 // ScopeType specifies the type of scope being used 67 type ScopeType string 68 69 const ( 70 // ClusterScope means that scope is limited to cluster-scoped objects. 71 // Namespace objects are cluster-scoped. 72 ClusterScope ScopeType = "Cluster" 73 // NamespacedScope means that scope is limited to namespaced objects. 74 NamespacedScope ScopeType = "Namespaced" 75 // AllScopes means that all scopes are included. 76 AllScopes ScopeType = "*" 77 ) 78 79 // ParameterNotFoundActionType specifies a failure policy that defines how a binding 80 // is evaluated when the param referred by its perNamespaceParamRef is not found. 81 type ParameterNotFoundActionType string 82 83 const ( 84 // Allow means all requests will be admitted if no param resources 85 // could be found. 86 AllowAction ParameterNotFoundActionType = "Allow" 87 // Deny means all requests will be denied if no param resources are found. 88 DenyAction ParameterNotFoundActionType = "Deny" 89 ) 90 91 // FailurePolicyType specifies the type of failure policy 92 type FailurePolicyType string 93 94 const ( 95 // Ignore means that an error calling the webhook is ignored. 96 Ignore FailurePolicyType = "Ignore" 97 // Fail means that an error calling the webhook causes the admission to fail. 98 Fail FailurePolicyType = "Fail" 99 ) 100 101 // MatchPolicyType specifies the type of match policy 102 type MatchPolicyType string 103 104 const ( 105 // Exact means requests should only be sent to the webhook if they exactly match a given rule 106 Exact MatchPolicyType = "Exact" 107 // Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version. 108 Equivalent MatchPolicyType = "Equivalent" 109 ) 110 111 // SideEffectClass denotes the type of side effects resulting from calling the webhook 112 type SideEffectClass string 113 114 const ( 115 // SideEffectClassUnknown means that no information is known about the side effects of calling the webhook. 116 // If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. 117 SideEffectClassUnknown SideEffectClass = "Unknown" 118 // SideEffectClassNone means that calling the webhook will have no side effects. 119 SideEffectClassNone SideEffectClass = "None" 120 // SideEffectClassSome means that calling the webhook will possibly have side effects. 121 // If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail. 122 SideEffectClassSome SideEffectClass = "Some" 123 // SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the 124 // request being reviewed has the dry-run attribute, the side effects will be suppressed. 125 SideEffectClassNoneOnDryRun SideEffectClass = "NoneOnDryRun" 126 ) 127 128 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 129 130 // ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it. 131 type ValidatingAdmissionPolicy struct { 132 metav1.TypeMeta 133 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. 134 // +optional 135 metav1.ObjectMeta 136 // Specification of the desired behavior of the ValidatingAdmissionPolicy. 137 Spec ValidatingAdmissionPolicySpec 138 // The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy 139 // behaves in the expected way. 140 // Populated by the system. 141 // Read-only. 142 // +optional 143 Status ValidatingAdmissionPolicyStatus 144 } 145 146 // ValidatingAdmissionPolicyStatus represents the status of an admission validation policy. 147 type ValidatingAdmissionPolicyStatus struct { 148 // The generation observed by the controller. 149 // +optional 150 ObservedGeneration int64 151 // The results of type checking for each expression. 152 // Presence of this field indicates the completion of the type checking. 153 // +optional 154 TypeChecking *TypeChecking 155 // The conditions represent the latest available observations of a policy's current state. 156 // +optional 157 // +listType=map 158 // +listMapKey=type 159 Conditions []metav1.Condition 160 } 161 162 // ValidatingAdmissionPolicyConditionType is the condition type of admission validation policy. 163 type ValidatingAdmissionPolicyConditionType string 164 165 // TypeChecking contains results of type checking the expressions in the 166 // ValidatingAdmissionPolicy 167 type TypeChecking struct { 168 // The type checking warnings for each expression. 169 // +optional 170 // +listType=atomic 171 ExpressionWarnings []ExpressionWarning 172 } 173 174 // ExpressionWarning is a warning information that targets a specific expression. 175 type ExpressionWarning struct { 176 // The path to the field that refers the expression. 177 // For example, the reference to the expression of the first item of 178 // validations is "spec.validations[0].expression" 179 FieldRef string 180 // The content of type checking information in a human-readable form. 181 // Each line of the warning contains the type that the expression is checked 182 // against, followed by the type check error from the compiler. 183 Warning string 184 } 185 186 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 187 188 // ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy. 189 type ValidatingAdmissionPolicyList struct { 190 metav1.TypeMeta 191 // Standard list metadata. 192 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 193 // +optional 194 metav1.ListMeta 195 // List of ValidatingAdmissionPolicy. 196 Items []ValidatingAdmissionPolicy 197 } 198 199 // ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy. 200 type ValidatingAdmissionPolicySpec struct { 201 // ParamKind specifies the kind of resources used to parameterize this policy. 202 // If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. 203 // If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. 204 // If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null. 205 // +optional 206 ParamKind *ParamKind 207 208 // MatchConstraints specifies what resources this policy is designed to validate. 209 // The AdmissionPolicy cares about a request if it matches _all_ Constraint. 210 // However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API 211 // ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. 212 // Required. 213 MatchConstraints *MatchResources 214 215 // validations contain CEL expressions which are used to validate admission requests. 216 // validations and auditAnnotations may not both be empty; a minimum of one validations or auditAnnotations is 217 // required. 218 // +optional 219 Validations []Validation 220 221 // MatchConditions is a list of conditions that must be met for a request to be validated. 222 // Match conditions filter requests that have already been matched by the rules, 223 // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. 224 // There are a maximum of 64 match conditions allowed. 225 // 226 // If a parameter object is provided, it can be accessed via the `params` handle in the same 227 // manner as validation expressions. 228 // 229 // The exact matching logic is (in order): 230 // 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 231 // 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 232 // 3. If any matchCondition evaluates to an error (but none are FALSE): 233 // - If failurePolicy=Fail, reject the request 234 // - If failurePolicy=Ignore, the policy is skipped 235 // 236 // +optional 237 MatchConditions []MatchCondition 238 239 // failurePolicy defines how to handle failures for the admission policy. Failures can 240 // occur from CEL expression parse errors, type check errors, runtime errors and invalid 241 // or mis-configured policy definitions or bindings. 242 // 243 // A policy is invalid if spec.paramKind refers to a non-existent Kind. 244 // A binding is invalid if spec.paramRef.name refers to a non-existent resource. 245 // 246 // failurePolicy does not define how validations that evaluate to false are handled. 247 // 248 // When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions 249 // define how failures are enforced. 250 // 251 // Allowed values are Ignore or Fail. Defaults to Fail. 252 // +optional 253 FailurePolicy *FailurePolicyType 254 255 // auditAnnotations contains CEL expressions which are used to produce audit 256 // annotations for the audit event of the API request. 257 // validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is 258 // required. 259 // A maximum of 20 auditAnnotation are allowed per ValidatingAdmissionPolicy. 260 // +optional 261 AuditAnnotations []AuditAnnotation 262 263 // Variables contain definitions of variables that can be used in composition of other expressions. 264 // Each variable is defined as a named CEL expression. 265 // The variables defined here will be available under `variables` in other expressions of the policy 266 // except MatchConditions because MatchConditions are evaluated before the rest of the policy. 267 // 268 // The expression of a variable can refer to other variables defined earlier in the list but not those after. 269 // Thus, Variables must be sorted by the order of first appearance and acyclic. 270 // +optional 271 Variables []Variable 272 } 273 274 // ParamKind is a tuple of Group Kind and Version. 275 type ParamKind struct { 276 // APIVersion is the API group version the resources belong to. 277 // In format of "group/version". 278 // Required. 279 APIVersion string 280 281 // Kind is the API kind the resources belong to. 282 // Required. 283 Kind string 284 } 285 286 // Validation specifies the CEL expression which is used to apply the validation. 287 type Validation struct { 288 // Expression represents the expression which will be evaluated by CEL. 289 // ref: https://github.com/google/cel-spec 290 // CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables: 291 // 292 //'object' - The object from the incoming request. The value is null for DELETE requests. 293 //'oldObject' - The existing object. The value is null for CREATE requests. 294 //'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). 295 //'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. 296 //'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. 297 //'variables' - Map of composited variables, from its name to its lazily evaluated value. 298 // For example, a variable named 'foo' can be accessed as 'variables.foo' 299 // - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. 300 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 301 // - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the 302 // request resource. 303 // 304 // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the 305 // object. No other metadata properties are accessible. 306 // 307 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. 308 // Accessible property names are escaped according to the following rules when accessed in the expression: 309 // - '__' escapes to '__underscores__' 310 // - '.' escapes to '__dot__' 311 // - '-' escapes to '__dash__' 312 // - '/' escapes to '__slash__' 313 // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are: 314 // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", 315 // "import", "let", "loop", "package", "namespace", "return". 316 // Examples: 317 // - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"} 318 // - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"} 319 // - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"} 320 // 321 // Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. 322 // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type: 323 // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and 324 // non-intersecting elements in `Y` are appended, retaining their partial order. 325 // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values 326 // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with 327 // non-intersecting keys are appended, retaining their partial order. 328 // Required. 329 Expression string 330 // Message represents the message displayed when validation fails. The message is required if the Expression contains 331 // line breaks. The message must not contain line breaks. 332 // If unset, the message is "failed rule: {Rule}". 333 // e.g. "must be a URL with the host matching spec.host" 334 // If ExpressMessage is specified, Message will be ignored 335 // If the Expression contains line breaks. Eith Message or ExpressMessage is required. 336 // The message must not contain line breaks. 337 // If unset, the message is "failed Expression: {Expression}". 338 // +optional 339 Message string 340 // Reason represents a machine-readable description of why this validation failed. 341 // If this is the first validation in the list to fail, this reason, as well as the 342 // corresponding HTTP response code, are used in the 343 // HTTP response to the client. 344 // The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". 345 // If not set, StatusReasonInvalid is used in the response to the client. 346 // +optional 347 Reason *metav1.StatusReason 348 // messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. 349 // Since messageExpression is used as a failure message, it must evaluate to a string. 350 // If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. 351 // If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced 352 // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string 353 // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and 354 // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. 355 // messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. 356 // Example: 357 // "object.x must be less than max ("+string(params.max)+")" 358 // +optional 359 MessageExpression string 360 } 361 362 // Variable is the definition of a variable that is used for composition. A variable is defined as a named expression. 363 // +structType=atomic 364 type Variable struct { 365 // Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. 366 // The variable can be accessed in other expressions through `variables` 367 // For example, if name is "foo", the variable will be available as `variables.foo` 368 Name string 369 370 // Expression is the expression that will be evaluated as the value of the variable. 371 // The CEL expression has access to the same identifiers as the CEL expressions in Validation. 372 Expression string 373 } 374 375 // AuditAnnotation describes how to produce an audit annotation for an API request. 376 type AuditAnnotation struct { 377 // key specifies the audit annotation key. The audit annotation keys of 378 // a ValidatingAdmissionPolicy must be unique. The key must be a qualified 379 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. 380 // 381 // The key is combined with the resource name of the 382 // ValidatingAdmissionPolicy to construct an audit annotation key: 383 // "{ValidatingAdmissionPolicy name}/{key}". 384 // 385 // If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy 386 // and the same audit annotation key, the annotation key will be identical. 387 // In this case, the first annotation written with the key will be included 388 // in the audit event and all subsequent annotations with the same key 389 // will be discarded. 390 // 391 // Required. 392 Key string 393 394 // valueExpression represents the expression which is evaluated by CEL to 395 // produce an audit annotation value. The expression must evaluate to either 396 // a string or null value. If the expression evaluates to a string, the 397 // audit annotation is included with the string value. If the expression 398 // evaluates to null or empty string the audit annotation will be omitted. 399 // The valueExpression may be no longer than 5kb in length. 400 // If the result of the valueExpression is more than 10kb in length, it 401 // will be truncated to 10kb. 402 // 403 // If multiple ValidatingAdmissionPolicyBinding resources match an 404 // API request, then the valueExpression will be evaluated for 405 // each binding. All unique values produced by the valueExpressions 406 // will be joined together in a comma-separated list. 407 // 408 // Required. 409 ValueExpression string 410 } 411 412 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 413 414 // ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. 415 // ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters. 416 // 417 // For a given admission request, each binding will cause its policy to be 418 // evaluated N times, where N is 1 for policies/bindings that don't use 419 // params, otherwise N is the number of parameters selected by the binding. 420 // 421 // The CEL expressions of a policy must have a computed CEL cost below the maximum 422 // CEL budget. Each evaluation of the policy is given an independent CEL cost budget. 423 // Adding/removing policies, bindings, or params can not affect whether a 424 // given (policy, binding, param) combination is within its own CEL budget. 425 type ValidatingAdmissionPolicyBinding struct { 426 metav1.TypeMeta 427 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. 428 // +optional 429 metav1.ObjectMeta 430 // Specification of the desired behavior of the ValidatingAdmissionPolicyBinding. 431 Spec ValidatingAdmissionPolicyBindingSpec 432 } 433 434 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 435 436 // ValidatingAdmissionPolicyBindingList is a list of PolicyBinding. 437 type ValidatingAdmissionPolicyBindingList struct { 438 metav1.TypeMeta 439 // Standard list metadata. 440 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 441 // +optional 442 metav1.ListMeta 443 // List of PolicyBinding. 444 Items []ValidatingAdmissionPolicyBinding 445 } 446 447 // ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding. 448 type ValidatingAdmissionPolicyBindingSpec struct { 449 // PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. 450 // If the referenced resource does not exist, this binding is considered invalid and will be ignored 451 // Required. 452 PolicyName string 453 454 // paramRef specifies the parameter resource used to configure the admission control policy. 455 // It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. 456 // If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. 457 // If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param. 458 // +optional 459 ParamRef *ParamRef 460 461 // MatchResources declares what resources match this binding and will be validated by it. 462 // Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. 463 // If this is unset, all resources matched by the policy are validated by this binding 464 // When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. 465 // Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required. 466 // +optional 467 MatchResources *MatchResources 468 469 // validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. 470 // If a validation evaluates to false it is always enforced according to these actions. 471 // 472 // Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according 473 // to these actions only if the FailurePolicy is set to Fail, otherwise the failures are 474 // ignored. This includes compilation errors, runtime errors and misconfigurations of the policy. 475 // 476 // validationActions is declared as a set of action values. Order does 477 // not matter. validationActions may not contain duplicates of the same action. 478 // 479 // The supported actions values are: 480 // 481 // "Deny" specifies that a validation failure results in a denied request. 482 // 483 // "Warn" specifies that a validation failure is reported to the request client 484 // in HTTP Warning headers, with a warning code of 299. Warnings can be sent 485 // both for allowed or denied admission responses. 486 // 487 // "Audit" specifies that a validation failure is included in the published 488 // audit event for the request. The audit event will contain a 489 // `validation.policy.admission.k8s.io/validation_failure` audit annotation 490 // with a value containing the details of the validation failures, formatted as 491 // a JSON list of objects, each with the following fields: 492 // - message: The validation failure message string 493 // - policy: The resource name of the ValidatingAdmissionPolicy 494 // - binding: The resource name of the ValidatingAdmissionPolicyBinding 495 // - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy 496 // - validationActions: The enforcement actions enacted for the validation failure 497 // Example audit annotation: 498 // `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"` 499 // 500 // Clients should expect to handle additional values by ignoring 501 // any values not recognized. 502 // 503 // "Deny" and "Warn" may not be used together since this combination 504 // needlessly duplicates the validation failure both in the 505 // API response body and the HTTP warning headers. 506 // 507 // Required. 508 ValidationActions []ValidationAction 509 } 510 511 // ParamRef describes how to locate the params to be used as input to 512 // expressions of rules applied by a policy binding. 513 // +structType=atomic 514 type ParamRef struct { 515 // name is the name of the resource being referenced. 516 // 517 // One of `name` or `selector` must be set, but `name` and `selector` are 518 // mutually exclusive properties. If one is set, the other must be unset. 519 // 520 // A single parameter used for all admission requests can be configured 521 // by setting the `name` field, leaving `selector` blank, and setting namespace 522 // if `paramKind` is namespace-scoped. 523 // 524 // +optional 525 Name string 526 527 // namespace is the namespace of the referenced resource. Allows limiting 528 // the search for params to a specific namespace. Applies to both `name` and 529 // `selector` fields. 530 // 531 // A per-namespace parameter may be used by specifying a namespace-scoped 532 // `paramKind` in the policy and leaving this field empty. 533 // 534 // - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this 535 // field results in a configuration error. 536 // 537 // - If `paramKind` is namespace-scoped, the namespace of the object being 538 // evaluated for admission will be used when this field is left unset. Take 539 // care that if this is left empty the binding must not match any cluster-scoped 540 // resources, which will result in an error. 541 // 542 // +optional 543 Namespace string 544 545 // selector can be used to match multiple param objects based on their labels. 546 // Supply selector: {} to match all resources of the ParamKind. 547 // 548 // If multiple params are found, they are all evaluated with the policy expressions 549 // and the results are ANDed together. 550 // 551 // One of `name` or `selector` must be set, but `name` and `selector` are 552 // mutually exclusive properties. If one is set, the other must be unset. 553 // 554 // +optional 555 Selector *metav1.LabelSelector 556 557 // parameterNotFoundAction controls the behavior of the binding when the resource 558 // exists, and name or selector is valid, but there are no parameters 559 // matched by the binding. If the value is set to `Allow`, then no 560 // matched parameters will be treated as successful validation by the binding. 561 // If set to `Deny`, then no matched parameters will be subject to the 562 // `failurePolicy` of the policy. 563 // 564 // Allowed values are `Allow` or `Deny` 565 // 566 // Required 567 ParameterNotFoundAction *ParameterNotFoundActionType 568 } 569 570 // MatchResources decides whether to run the admission control policy on an object based 571 // on whether it meets the match criteria. 572 // The exclude rules take precedence over include rules (if a resource matches both, it is excluded) 573 type MatchResources struct { 574 // NamespaceSelector decides whether to run the admission control policy on an object based 575 // on whether the namespace for that object matches the selector. If the 576 // object itself is a namespace, the matching is performed on 577 // object.metadata.labels. If the object is another cluster scoped resource, 578 // it never skips the policy. 579 // 580 // For example, to run the webhook on any objects whose namespace is not 581 // associated with "runlevel" of "0" or "1"; you will set the selector as 582 // follows: 583 // "namespaceSelector": { 584 // "matchExpressions": [ 585 // { 586 // "key": "runlevel", 587 // "operator": "NotIn", 588 // "values": [ 589 // "0", 590 // "1" 591 // ] 592 // } 593 // ] 594 // } 595 // 596 // If instead you want to only run the policy on any objects whose 597 // namespace is associated with the "environment" of "prod" or "staging"; 598 // you will set the selector as follows: 599 // "namespaceSelector": { 600 // "matchExpressions": [ 601 // { 602 // "key": "environment", 603 // "operator": "In", 604 // "values": [ 605 // "prod", 606 // "staging" 607 // ] 608 // } 609 // ] 610 // } 611 // 612 // See 613 // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 614 // for more examples of label selectors. 615 // 616 // Default to the empty LabelSelector, which matches everything. 617 // +optional 618 NamespaceSelector *metav1.LabelSelector 619 // ObjectSelector decides whether to run the validation based on if the 620 // object has matching labels. objectSelector is evaluated against both 621 // the oldObject and newObject that would be sent to the cel validation, and 622 // is considered to match if either object matches the selector. A null 623 // object (oldObject in the case of create, or newObject in the case of 624 // delete) or an object that cannot have labels (like a 625 // DeploymentRollback or a PodProxyOptions object) is not considered to 626 // match. 627 // Use the object selector only if the webhook is opt-in, because end 628 // users may skip the admission webhook by setting the labels. 629 // Default to the empty LabelSelector, which matches everything. 630 // +optional 631 ObjectSelector *metav1.LabelSelector 632 // ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. 633 // The policy cares about an operation if it matches _any_ Rule. 634 // +optional 635 ResourceRules []NamedRuleWithOperations 636 // ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. 637 // The exclude rules take precedence over include rules (if a resource matches both, it is excluded) 638 // +optional 639 ExcludeResourceRules []NamedRuleWithOperations 640 // matchPolicy defines how the "MatchResources" list is used to match incoming requests. 641 // Allowed values are "Exact" or "Equivalent". 642 // 643 // - Exact: match a request only if it exactly matches a specified rule. 644 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 645 // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 646 // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. 647 // 648 // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. 649 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 650 // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 651 // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. 652 // 653 // Defaults to "Equivalent" 654 // +optional 655 MatchPolicy *MatchPolicyType 656 } 657 658 // ValidationAction specifies a policy enforcement action. 659 type ValidationAction string 660 661 const ( 662 // Deny specifies that a validation failure results in a denied request. 663 Deny ValidationAction = "Deny" 664 // Warn specifies that a validation failure is reported to the request client 665 // in HTTP Warning headers, with a warning code of 299. Warnings can be sent 666 // both for allowed or denied admission responses. 667 Warn ValidationAction = "Warn" 668 // Audit specifies that a validation failure is included in the published 669 // audit event for the request. The audit event will contain a 670 // `validation.policy.admission.k8s.io/validation_failure` audit annotation 671 // with a value containing the details of the validation failure. 672 Audit ValidationAction = "Audit" 673 ) 674 675 // NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames. 676 type NamedRuleWithOperations struct { 677 // ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. 678 // +optional 679 ResourceNames []string 680 // RuleWithOperations is a tuple of Operations and Resources. 681 RuleWithOperations RuleWithOperations 682 } 683 684 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 685 686 // ValidatingWebhookConfiguration describes the configuration of an admission webhook that accepts or rejects and object without changing it. 687 type ValidatingWebhookConfiguration struct { 688 metav1.TypeMeta 689 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. 690 // +optional 691 metav1.ObjectMeta 692 // Webhooks is a list of webhooks and the affected resources and operations. 693 // +optional 694 Webhooks []ValidatingWebhook 695 } 696 697 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 698 699 // ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration. 700 type ValidatingWebhookConfigurationList struct { 701 metav1.TypeMeta 702 // Standard list metadata. 703 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 704 // +optional 705 metav1.ListMeta 706 // List of ValidatingWebhookConfigurations. 707 Items []ValidatingWebhookConfiguration 708 } 709 710 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 711 712 // MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object. 713 type MutatingWebhookConfiguration struct { 714 metav1.TypeMeta 715 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. 716 // +optional 717 metav1.ObjectMeta 718 // Webhooks is a list of webhooks and the affected resources and operations. 719 // +optional 720 Webhooks []MutatingWebhook 721 } 722 723 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 724 725 // MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration. 726 type MutatingWebhookConfigurationList struct { 727 metav1.TypeMeta 728 // Standard list metadata. 729 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 730 // +optional 731 metav1.ListMeta 732 // List of MutatingWebhookConfiguration. 733 Items []MutatingWebhookConfiguration 734 } 735 736 // ValidatingWebhook describes an admission webhook and the resources and operations it applies to. 737 type ValidatingWebhook struct { 738 // The name of the admission webhook. 739 // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where 740 // "imagepolicy" is the name of the webhook, and kubernetes.io is the name 741 // of the organization. 742 // Required. 743 Name string 744 745 // ClientConfig defines how to communicate with the hook. 746 // Required 747 ClientConfig WebhookClientConfig 748 749 // Rules describes what operations on what resources/subresources the webhook cares about. 750 // The webhook cares about an operation if it matches _any_ Rule. 751 Rules []RuleWithOperations 752 753 // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - 754 // allowed values are Ignore or Fail. Defaults to Ignore. 755 // +optional 756 FailurePolicy *FailurePolicyType 757 758 // matchPolicy defines how the "rules" list is used to match incoming requests. 759 // Allowed values are "Exact" or "Equivalent". 760 // 761 // - Exact: match a request only if it exactly matches a specified rule. 762 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 763 // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 764 // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. 765 // 766 // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. 767 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 768 // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 769 // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. 770 // 771 // +optional 772 MatchPolicy *MatchPolicyType 773 774 // NamespaceSelector decides whether to run the webhook on an object based 775 // on whether the namespace for that object matches the selector. If the 776 // object itself is a namespace, the matching is performed on 777 // object.metadata.labels. If the object is another cluster scoped resource, 778 // it never skips the webhook. 779 // 780 // For example, to run the webhook on any objects whose namespace is not 781 // associated with "runlevel" of "0" or "1"; you will set the selector as 782 // follows: 783 // "namespaceSelector": { 784 // "matchExpressions": [ 785 // { 786 // "key": "runlevel", 787 // "operator": "NotIn", 788 // "values": [ 789 // "0", 790 // "1" 791 // ] 792 // } 793 // ] 794 // } 795 // 796 // If instead you want to only run the webhook on any objects whose 797 // namespace is associated with the "environment" of "prod" or "staging"; 798 // you will set the selector as follows: 799 // "namespaceSelector": { 800 // "matchExpressions": [ 801 // { 802 // "key": "environment", 803 // "operator": "In", 804 // "values": [ 805 // "prod", 806 // "staging" 807 // ] 808 // } 809 // ] 810 // } 811 // 812 // See 813 // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 814 // for more examples of label selectors. 815 // 816 // Default to the empty LabelSelector, which matches everything. 817 // +optional 818 NamespaceSelector *metav1.LabelSelector 819 820 // ObjectSelector decides whether to run the webhook based on if the 821 // object has matching labels. objectSelector is evaluated against both 822 // the oldObject and newObject that would be sent to the webhook, and 823 // is considered to match if either object matches the selector. A null 824 // object (oldObject in the case of create, or newObject in the case of 825 // delete) or an object that cannot have labels (like a 826 // DeploymentRollback or a PodProxyOptions object) is not considered to 827 // match. 828 // Use the object selector only if the webhook is opt-in, because end 829 // users may skip the admission webhook by setting the labels. 830 // Default to the empty LabelSelector, which matches everything. 831 // +optional 832 ObjectSelector *metav1.LabelSelector 833 834 // SideEffects states whether this webhook has side effects. 835 // Acceptable values are: Unknown, None, Some, NoneOnDryRun 836 // Webhooks with side effects MUST implement a reconciliation system, since a request may be 837 // rejected by a future step in the admission chain and the side effects therefore need to be undone. 838 // Requests with the dryRun attribute will be auto-rejected if they match a webhook with 839 // sideEffects == Unknown or Some. Defaults to Unknown. 840 // +optional 841 SideEffects *SideEffectClass 842 843 // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, 844 // the webhook call will be ignored or the API call will fail based on the 845 // failure policy. 846 // The timeout value must be between 1 and 30 seconds. 847 // +optional 848 TimeoutSeconds *int32 849 850 // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` 851 // versions the Webhook expects. API server will try to use first version in 852 // the list which it supports. If none of the versions specified in this list 853 // supported by API server, validation will fail for this object. 854 // If the webhook configuration has already been persisted with a version apiserver 855 // does not understand, calls to the webhook will fail and be subject to the failure policy. 856 // +optional 857 AdmissionReviewVersions []string 858 859 // MatchConditions is a list of conditions that must be met for a request to be sent to this 860 // webhook. Match conditions filter requests that have already been matched by the rules, 861 // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. 862 // There are a maximum of 64 match conditions allowed. 863 // 864 // The exact matching logic is (in order): 865 // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. 866 // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. 867 // 3. If any matchCondition evaluates to an error (but none are FALSE): 868 // - If failurePolicy=Fail, reject the request 869 // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped 870 // 871 // +optional 872 MatchConditions []MatchCondition 873 } 874 875 // MutatingWebhook describes an admission webhook and the resources and operations it applies to. 876 type MutatingWebhook struct { 877 // The name of the admission webhook. 878 // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where 879 // "imagepolicy" is the name of the webhook, and kubernetes.io is the name 880 // of the organization. 881 // Required. 882 Name string 883 884 // ClientConfig defines how to communicate with the hook. 885 // Required 886 ClientConfig WebhookClientConfig 887 888 // Rules describes what operations on what resources/subresources the webhook cares about. 889 // The webhook cares about an operation if it matches _any_ Rule. 890 Rules []RuleWithOperations 891 892 // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - 893 // allowed values are Ignore or Fail. Defaults to Ignore. 894 // +optional 895 FailurePolicy *FailurePolicyType 896 897 // matchPolicy defines how the "rules" list is used to match incoming requests. 898 // Allowed values are "Exact" or "Equivalent". 899 // 900 // - Exact: match a request only if it exactly matches a specified rule. 901 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 902 // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 903 // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. 904 // 905 // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. 906 // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, 907 // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, 908 // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. 909 // 910 // +optional 911 MatchPolicy *MatchPolicyType 912 913 // NamespaceSelector decides whether to run the webhook on an object based 914 // on whether the namespace for that object matches the selector. If the 915 // object itself is a namespace, the matching is performed on 916 // object.metadata.labels. If the object is another cluster scoped resource, 917 // it never skips the webhook. 918 // 919 // For example, to run the webhook on any objects whose namespace is not 920 // associated with "runlevel" of "0" or "1"; you will set the selector as 921 // follows: 922 // "namespaceSelector": { 923 // "matchExpressions": [ 924 // { 925 // "key": "runlevel", 926 // "operator": "NotIn", 927 // "values": [ 928 // "0", 929 // "1" 930 // ] 931 // } 932 // ] 933 // } 934 // 935 // If instead you want to only run the webhook on any objects whose 936 // namespace is associated with the "environment" of "prod" or "staging"; 937 // you will set the selector as follows: 938 // "namespaceSelector": { 939 // "matchExpressions": [ 940 // { 941 // "key": "environment", 942 // "operator": "In", 943 // "values": [ 944 // "prod", 945 // "staging" 946 // ] 947 // } 948 // ] 949 // } 950 // 951 // See 952 // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 953 // for more examples of label selectors. 954 // 955 // Default to the empty LabelSelector, which matches everything. 956 // +optional 957 NamespaceSelector *metav1.LabelSelector 958 959 // ObjectSelector decides whether to run the webhook based on if the 960 // object has matching labels. objectSelector is evaluated against both 961 // the oldObject and newObject that would be sent to the webhook, and 962 // is considered to match if either object matches the selector. A null 963 // object (oldObject in the case of create, or newObject in the case of 964 // delete) or an object that cannot have labels (like a 965 // DeploymentRollback or a PodProxyOptions object) is not considered to 966 // match. 967 // Use the object selector only if the webhook is opt-in, because end 968 // users may skip the admission webhook by setting the labels. 969 // Default to the empty LabelSelector, which matches everything. 970 // +optional 971 ObjectSelector *metav1.LabelSelector 972 973 // SideEffects states whether this webhook has side effects. 974 // Acceptable values are: Unknown, None, Some, NoneOnDryRun 975 // Webhooks with side effects MUST implement a reconciliation system, since a request may be 976 // rejected by a future step in the admission chain and the side effects therefore need to be undone. 977 // Requests with the dryRun attribute will be auto-rejected if they match a webhook with 978 // sideEffects == Unknown or Some. Defaults to Unknown. 979 // +optional 980 SideEffects *SideEffectClass 981 982 // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, 983 // the webhook call will be ignored or the API call will fail based on the 984 // failure policy. 985 // The timeout value must be between 1 and 30 seconds. 986 // +optional 987 TimeoutSeconds *int32 988 989 // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` 990 // versions the Webhook expects. API server will try to use first version in 991 // the list which it supports. If none of the versions specified in this list 992 // supported by API server, validation will fail for this object. 993 // If the webhook configuration has already been persisted with a version apiserver 994 // does not understand, calls to the webhook will fail and be subject to the failure policy. 995 // +optional 996 AdmissionReviewVersions []string 997 998 // reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. 999 // Allowed values are "Never" and "IfNeeded". 1000 // 1001 // Never: the webhook will not be called more than once in a single admission evaluation. 1002 // 1003 // IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation 1004 // if the object being admitted is modified by other admission plugins after the initial webhook call. 1005 // Webhooks that specify this option *must* be idempotent, and hence able to process objects they previously admitted. 1006 // Note: 1007 // * the number of additional invocations is not guaranteed to be exactly one. 1008 // * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. 1009 // * webhooks that use this option may be reordered to minimize the number of additional invocations. 1010 // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. 1011 // 1012 // Defaults to "Never". 1013 // +optional 1014 ReinvocationPolicy *ReinvocationPolicyType 1015 1016 // MatchConditions is a list of conditions that must be met for a request to be sent to this 1017 // webhook. Match conditions filter requests that have already been matched by the rules, 1018 // namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. 1019 // There are a maximum of 64 match conditions allowed. 1020 // 1021 // The exact matching logic is (in order): 1022 // 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped. 1023 // 2. If ALL matchConditions evaluate to TRUE, the webhook is called. 1024 // 3. If any matchCondition evaluates to an error (but none are FALSE): 1025 // - If failurePolicy=Fail, reject the request 1026 // - If failurePolicy=Ignore, the error is ignored and the webhook is skipped 1027 // 1028 // +optional 1029 MatchConditions []MatchCondition 1030 } 1031 1032 // ReinvocationPolicyType specifies what type of policy the admission hook uses. 1033 type ReinvocationPolicyType string 1034 1035 var ( 1036 // NeverReinvocationPolicy indicates that the webhook must not be called more than once in a 1037 // single admission evaluation. 1038 NeverReinvocationPolicy ReinvocationPolicyType = "Never" 1039 // IfNeededReinvocationPolicy indicates that the webhook may be called at least one 1040 // additional time as part of the admission evaluation if the object being admitted is 1041 // modified by other admission plugins after the initial webhook call. 1042 IfNeededReinvocationPolicy ReinvocationPolicyType = "IfNeeded" 1043 ) 1044 1045 // RuleWithOperations is a tuple of Operations and Resources. It is recommended to make 1046 // sure that all the tuple expansions are valid. 1047 type RuleWithOperations struct { 1048 // Operations is the operations the admission hook cares about - CREATE, UPDATE, or * 1049 // for all operations. 1050 // If '*' is present, the length of the slice must be one. 1051 // Required. 1052 Operations []OperationType 1053 // Rule is embedded, it describes other criteria of the rule, like 1054 // APIGroups, APIVersions, Resources, etc. 1055 Rule 1056 } 1057 1058 // OperationType specifies what type of operation the admission hook cares about. 1059 type OperationType string 1060 1061 // The constants should be kept in sync with those defined in k8s.io/kubernetes/pkg/admission/interface.go. 1062 const ( 1063 OperationAll OperationType = "*" 1064 Create OperationType = "CREATE" 1065 Update OperationType = "UPDATE" 1066 Delete OperationType = "DELETE" 1067 Connect OperationType = "CONNECT" 1068 ) 1069 1070 // WebhookClientConfig contains the information to make a TLS 1071 // connection with the webhook 1072 type WebhookClientConfig struct { 1073 // `url` gives the location of the webhook, in standard URL form 1074 // (`scheme://host:port/path`). Exactly one of `url` or `service` 1075 // must be specified. 1076 // 1077 // The `host` should not refer to a service running in the cluster; use 1078 // the `service` field instead. The host might be resolved via external 1079 // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve 1080 // in-cluster DNS as that would be a layering violation). `host` may 1081 // also be an IP address. 1082 // 1083 // Please note that using `localhost` or `127.0.0.1` as a `host` is 1084 // risky unless you take great care to run this webhook on all hosts 1085 // which run an apiserver which might need to make calls to this 1086 // webhook. Such installs are likely to be non-portable, i.e., not easy 1087 // to turn up in a new cluster. 1088 // 1089 // The scheme must be "https"; the URL must begin with "https://". 1090 // 1091 // A path is optional, and if present may be any string permissible in 1092 // a URL. You may use the path to pass an arbitrary string to the 1093 // webhook, for example, a cluster identifier. 1094 // 1095 // Attempting to use a user or basic auth e.g. "user:password@" is not 1096 // allowed. Fragments ("#...") and query parameters ("?...") are not 1097 // allowed, either. 1098 // 1099 // +optional 1100 URL *string 1101 1102 // `service` is a reference to the service for this webhook. Either 1103 // `service` or `url` must be specified. 1104 // 1105 // If the webhook is running within the cluster, then you should use `service`. 1106 // 1107 // +optional 1108 Service *ServiceReference 1109 1110 // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. 1111 // If unspecified, system trust roots on the apiserver are used. 1112 // +optional 1113 CABundle []byte 1114 } 1115 1116 // ServiceReference holds a reference to Service.legacy.k8s.io 1117 type ServiceReference struct { 1118 // `namespace` is the namespace of the service. 1119 // Required 1120 Namespace string 1121 // `name` is the name of the service. 1122 // Required 1123 Name string 1124 1125 // `path` is an optional URL path which will be sent in any request to 1126 // this service. 1127 // +optional 1128 Path *string 1129 1130 // If specified, the port on the service that hosting webhook. 1131 // `port` should be a valid port number (1-65535, inclusive). 1132 // +optional 1133 Port int32 1134 } 1135 1136 // MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. 1137 type MatchCondition struct { 1138 // Name is an identifier for this match condition, used for strategic merging of MatchConditions, 1139 // as well as providing an identifier for logging purposes. A good name should be descriptive of 1140 // the associated expression. 1141 // Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and 1142 // must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or 1143 // '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an 1144 // optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') 1145 // 1146 // Required. 1147 Name string 1148 1149 // Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. 1150 // CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: 1151 // 1152 // 'object' - The object from the incoming request. The value is null for DELETE requests. 1153 // 'oldObject' - The existing object. The value is null for CREATE requests. 1154 // 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 1155 // 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. 1156 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 1157 // 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the 1158 // request resource. 1159 // 'variables' - Map of composited variables, from its name to its lazily evaluated value. 1160 // For example, a variable named 'foo' can be access as 'variables.foo' 1161 // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ 1162 // 1163 // Required. 1164 Expression string 1165 } 1166