├── .assets ├── kyverno-json-horizontal.png ├── kyverno-json-logo.png └── kyverno-json-logo.pptx ├── .crds └── json.kyverno.io_validatingpolicies.yaml ├── .docs ├── LABELS.md ├── PLAYGROUND_EXAMPLES.md └── RELEASE.md ├── .github ├── ISSUE_TEMPLATE │ ├── VULN-TEMPLATE.md │ ├── bug.yaml │ └── feature-request.yaml ├── PULL_REQUEST_TEMPLATE.md ├── cherry-pick-bot.yml ├── dependabot.yml └── workflows │ ├── ah-lint.yaml │ ├── check-actions.yaml │ ├── codegen.yaml │ ├── codeql.yaml │ ├── ct-lint.yaml │ ├── docs-main.yaml │ ├── docs-release.yaml │ ├── helm-install.yaml │ ├── helm-release.yaml │ ├── lint.yaml │ ├── pr-semantics.yaml │ ├── release.yaml │ └── tests.yaml ├── .gitignore ├── .golangci.yml ├── .goreleaser.yaml ├── .hack └── boilerplate.go.txt ├── .release-notes ├── _template.md ├── main.md ├── v0.0.1.md └── v0.0.2.md ├── .schemas ├── json │ ├── _definitions.json │ ├── affinity-v1.json │ ├── aggregationrule-rbac-v1.json │ ├── all.json │ ├── apigroup-meta-v1.json │ ├── apigrouplist-meta-v1.json │ ├── apiresource-meta-v1.json │ ├── apiresourcelist-meta-v1.json │ ├── apiservice-apiregistration-v1.json │ ├── apiservicecondition-apiregistration-v1.json │ ├── apiservicelist-apiregistration-v1.json │ ├── apiservicespec-apiregistration-v1.json │ ├── apiservicestatus-apiregistration-v1.json │ ├── apiversions-meta-v1.json │ ├── apparmorprofile-v1.json │ ├── attachedvolume-v1.json │ ├── auditannotation-admissionregistration-v1.json │ ├── awselasticblockstorevolumesource-v1.json │ ├── azurediskvolumesource-v1.json │ ├── azurefilepersistentvolumesource-v1.json │ ├── azurefilevolumesource-v1.json │ ├── binding-v1.json │ ├── boundobjectreference-authentication-v1.json │ ├── capabilities-v1.json │ ├── cephfspersistentvolumesource-v1.json │ ├── cephfsvolumesource-v1.json │ ├── certificatesigningrequest-certificates-v1.json │ ├── certificatesigningrequestcondition-certificates-v1.json │ ├── certificatesigningrequestlist-certificates-v1.json │ ├── certificatesigningrequestspec-certificates-v1.json │ ├── certificatesigningrequeststatus-certificates-v1.json │ ├── cinderpersistentvolumesource-v1.json │ ├── cindervolumesource-v1.json │ ├── claimsource-v1.json │ ├── clientipconfig-v1.json │ ├── clusterrole-rbac-v1.json │ ├── clusterrolebinding-rbac-v1.json │ ├── clusterrolebindinglist-rbac-v1.json │ ├── clusterrolelist-rbac-v1.json │ ├── clustertrustbundleprojection-v1.json │ ├── componentcondition-v1.json │ ├── componentstatus-v1.json │ ├── componentstatuslist-v1.json │ ├── condition-meta-v1.json │ ├── configmap-v1.json │ ├── configmapenvsource-v1.json │ ├── configmapkeyselector-v1.json │ ├── configmaplist-v1.json │ ├── configmapnodeconfigsource-v1.json │ ├── configmapprojection-v1.json │ ├── configmapvolumesource-v1.json │ ├── container-v1.json │ ├── containerimage-v1.json │ ├── containerport-v1.json │ ├── containerresizepolicy-v1.json │ ├── containerresourcemetricsource-autoscaling-v2.json │ ├── containerresourcemetricstatus-autoscaling-v2.json │ ├── containerstate-v1.json │ ├── containerstaterunning-v1.json │ ├── containerstateterminated-v1.json │ ├── containerstatewaiting-v1.json │ ├── containerstatus-v1.json │ ├── controllerrevision-apps-v1.json │ ├── controllerrevisionlist-apps-v1.json │ ├── cronjob-batch-v1.json │ ├── cronjoblist-batch-v1.json │ ├── cronjobspec-batch-v1.json │ ├── cronjobstatus-batch-v1.json │ ├── crossversionobjectreference-autoscaling-v1.json │ ├── crossversionobjectreference-autoscaling-v2.json │ ├── csidriver-storage-v1.json │ ├── csidriverlist-storage-v1.json │ ├── csidriverspec-storage-v1.json │ ├── csinode-storage-v1.json │ ├── csinodedriver-storage-v1.json │ ├── csinodelist-storage-v1.json │ ├── csinodespec-storage-v1.json │ ├── csipersistentvolumesource-v1.json │ ├── csistoragecapacity-storage-v1.json │ ├── csistoragecapacitylist-storage-v1.json │ ├── csivolumesource-v1.json │ ├── customresourcecolumndefinition-apiextensions-v1.json │ ├── customresourceconversion-apiextensions-v1.json │ ├── customresourcedefinitioncondition-apiextensions-v1.json │ ├── customresourcedefinitionnames-apiextensions-v1.json │ ├── customresourcedefinitionstatus-apiextensions-v1.json │ ├── customresourcesubresources-apiextensions-v1.json │ ├── customresourcesubresourcescale-apiextensions-v1.json │ ├── customresourcesubresourcestatus-apiextensions-v1.json │ ├── daemonendpoint-v1.json │ ├── daemonset-apps-v1.json │ ├── daemonsetcondition-apps-v1.json │ ├── daemonsetlist-apps-v1.json │ ├── daemonsetspec-apps-v1.json │ ├── daemonsetstatus-apps-v1.json │ ├── daemonsetupdatestrategy-apps-v1.json │ ├── deleteoptions-meta-v1.json │ ├── deployment-apps-v1.json │ ├── deploymentcondition-apps-v1.json │ ├── deploymentlist-apps-v1.json │ ├── deploymentspec-apps-v1.json │ ├── deploymentstatus-apps-v1.json │ ├── deploymentstrategy-apps-v1.json │ ├── downwardapiprojection-v1.json │ ├── downwardapivolumefile-v1.json │ ├── downwardapivolumesource-v1.json │ ├── emptydirvolumesource-v1.json │ ├── endpoint-discovery-v1.json │ ├── endpointaddress-v1.json │ ├── endpointconditions-discovery-v1.json │ ├── endpointhints-discovery-v1.json │ ├── endpointport-discovery-v1.json │ ├── endpointport-v1.json │ ├── endpoints-v1.json │ ├── endpointslice-discovery-v1.json │ ├── endpointslicelist-discovery-v1.json │ ├── endpointslist-v1.json │ ├── endpointsubset-v1.json │ ├── envfromsource-v1.json │ ├── envvar-v1.json │ ├── envvarsource-v1.json │ ├── ephemeralcontainer-v1.json │ ├── ephemeralvolumesource-v1.json │ ├── event-events-v1.json │ ├── event-v1.json │ ├── eventlist-events-v1.json │ ├── eventlist-v1.json │ ├── eventseries-events-v1.json │ ├── eventseries-v1.json │ ├── eventsource-v1.json │ ├── eviction-policy-v1.json │ ├── execaction-v1.json │ ├── exemptprioritylevelconfiguration-flowcontrol-v1.json │ ├── exemptprioritylevelconfiguration-flowcontrol-v1beta3.json │ ├── expressionwarning-admissionregistration-v1.json │ ├── externaldocumentation-apiextensions-v1.json │ ├── externalmetricsource-autoscaling-v2.json │ ├── externalmetricstatus-autoscaling-v2.json │ ├── fcvolumesource-v1.json │ ├── fieldsv1-meta-v1.json │ ├── flexpersistentvolumesource-v1.json │ ├── flexvolumesource-v1.json │ ├── flockervolumesource-v1.json │ ├── flowdistinguishermethod-flowcontrol-v1.json │ ├── flowdistinguishermethod-flowcontrol-v1beta3.json │ ├── flowschema-flowcontrol-v1.json │ ├── flowschema-flowcontrol-v1beta3.json │ ├── flowschemacondition-flowcontrol-v1.json │ ├── flowschemacondition-flowcontrol-v1beta3.json │ ├── flowschemalist-flowcontrol-v1.json │ ├── flowschemalist-flowcontrol-v1beta3.json │ ├── flowschemaspec-flowcontrol-v1.json │ ├── flowschemaspec-flowcontrol-v1beta3.json │ ├── flowschemastatus-flowcontrol-v1.json │ ├── flowschemastatus-flowcontrol-v1beta3.json │ ├── forzone-discovery-v1.json │ ├── gcepersistentdiskvolumesource-v1.json │ ├── gitrepovolumesource-v1.json │ ├── glusterfspersistentvolumesource-v1.json │ ├── glusterfsvolumesource-v1.json │ ├── groupsubject-flowcontrol-v1.json │ ├── groupsubject-flowcontrol-v1beta3.json │ ├── groupversionfordiscovery-meta-v1.json │ ├── grpcaction-v1.json │ ├── horizontalpodautoscaler-autoscaling-v1.json │ ├── horizontalpodautoscaler-autoscaling-v2.json │ ├── horizontalpodautoscalerbehavior-autoscaling-v2.json │ ├── horizontalpodautoscalercondition-autoscaling-v2.json │ ├── horizontalpodautoscalerlist-autoscaling-v1.json │ ├── horizontalpodautoscalerlist-autoscaling-v2.json │ ├── horizontalpodautoscalerspec-autoscaling-v1.json │ ├── horizontalpodautoscalerspec-autoscaling-v2.json │ ├── horizontalpodautoscalerstatus-autoscaling-v1.json │ ├── horizontalpodautoscalerstatus-autoscaling-v2.json │ ├── hostalias-v1.json │ ├── hostip-v1.json │ ├── hostpathvolumesource-v1.json │ ├── hpascalingpolicy-autoscaling-v2.json │ ├── hpascalingrules-autoscaling-v2.json │ ├── httpgetaction-v1.json │ ├── httpheader-v1.json │ ├── httpingresspath-networking-v1.json │ ├── httpingressrulevalue-networking-v1.json │ ├── info-pkg-version.json │ ├── ingress-networking-v1.json │ ├── ingressbackend-networking-v1.json │ ├── ingressclass-networking-v1.json │ ├── ingressclasslist-networking-v1.json │ ├── ingressclassparametersreference-networking-v1.json │ ├── ingressclassspec-networking-v1.json │ ├── ingresslist-networking-v1.json │ ├── ingressloadbalanceringress-networking-v1.json │ ├── ingressloadbalancerstatus-networking-v1.json │ ├── ingressportstatus-networking-v1.json │ ├── ingressrule-networking-v1.json │ ├── ingressservicebackend-networking-v1.json │ ├── ingressspec-networking-v1.json │ ├── ingressstatus-networking-v1.json │ ├── ingresstls-networking-v1.json │ ├── intorstring-util-intstr.json │ ├── ipblock-networking-v1.json │ ├── iscsipersistentvolumesource-v1.json │ ├── iscsivolumesource-v1.json │ ├── job-batch-v1.json │ ├── jobcondition-batch-v1.json │ ├── joblist-batch-v1.json │ ├── jobspec-batch-v1.json │ ├── jobstatus-batch-v1.json │ ├── jobtemplatespec-batch-v1.json │ ├── json-apiextensions-v1.json │ ├── keytopath-v1.json │ ├── labelselector-meta-v1.json │ ├── labelselectorrequirement-meta-v1.json │ ├── lease-coordination-v1.json │ ├── leaselist-coordination-v1.json │ ├── leasespec-coordination-v1.json │ ├── lifecycle-v1.json │ ├── lifecyclehandler-v1.json │ ├── limitedprioritylevelconfiguration-flowcontrol-v1.json │ ├── limitedprioritylevelconfiguration-flowcontrol-v1beta3.json │ ├── limitrange-v1.json │ ├── limitrangeitem-v1.json │ ├── limitrangelist-v1.json │ ├── limitrangespec-v1.json │ ├── limitresponse-flowcontrol-v1.json │ ├── limitresponse-flowcontrol-v1beta3.json │ ├── listmeta-meta-v1.json │ ├── loadbalanceringress-v1.json │ ├── loadbalancerstatus-v1.json │ ├── localobjectreference-v1.json │ ├── localsubjectaccessreview-authorization-v1.json │ ├── localvolumesource-v1.json │ ├── managedfieldsentry-meta-v1.json │ ├── matchcondition-admissionregistration-v1.json │ ├── matchresources-admissionregistration-v1.json │ ├── metricidentifier-autoscaling-v2.json │ ├── metricspec-autoscaling-v2.json │ ├── metricstatus-autoscaling-v2.json │ ├── metrictarget-autoscaling-v2.json │ ├── metricvaluestatus-autoscaling-v2.json │ ├── microtime-meta-v1.json │ ├── modifyvolumestatus-v1.json │ ├── mutatingwebhook-admissionregistration-v1.json │ ├── mutatingwebhookconfiguration-admissionregistration-v1.json │ ├── mutatingwebhookconfigurationlist-admissionregistration-v1.json │ ├── namedrulewithoperations-admissionregistration-v1.json │ ├── namespace-v1.json │ ├── namespacecondition-v1.json │ ├── namespacelist-v1.json │ ├── namespacespec-v1.json │ ├── namespacestatus-v1.json │ ├── networkpolicy-networking-v1.json │ ├── networkpolicyegressrule-networking-v1.json │ ├── networkpolicyingressrule-networking-v1.json │ ├── networkpolicylist-networking-v1.json │ ├── networkpolicypeer-networking-v1.json │ ├── networkpolicyport-networking-v1.json │ ├── networkpolicyspec-networking-v1.json │ ├── nfsvolumesource-v1.json │ ├── node-v1.json │ ├── nodeaddress-v1.json │ ├── nodeaffinity-v1.json │ ├── nodecondition-v1.json │ ├── nodeconfigsource-v1.json │ ├── nodeconfigstatus-v1.json │ ├── nodedaemonendpoints-v1.json │ ├── nodelist-v1.json │ ├── noderuntimehandler-v1.json │ ├── noderuntimehandlerfeatures-v1.json │ ├── nodeselector-v1.json │ ├── nodeselectorrequirement-v1.json │ ├── nodeselectorterm-v1.json │ ├── nodespec-v1.json │ ├── nodestatus-v1.json │ ├── nodesysteminfo-v1.json │ ├── nonresourceattributes-authorization-v1.json │ ├── nonresourcepolicyrule-flowcontrol-v1.json │ ├── nonresourcepolicyrule-flowcontrol-v1beta3.json │ ├── nonresourcerule-authorization-v1.json │ ├── objectfieldselector-v1.json │ ├── objectmeta-meta-v1.json │ ├── objectmetricsource-autoscaling-v2.json │ ├── objectmetricstatus-autoscaling-v2.json │ ├── objectreference-v1.json │ ├── overhead-node-v1.json │ ├── ownerreference-meta-v1.json │ ├── paramkind-admissionregistration-v1.json │ ├── paramref-admissionregistration-v1.json │ ├── patch-meta-v1.json │ ├── persistentvolume-v1.json │ ├── persistentvolumeclaim-v1.json │ ├── persistentvolumeclaimcondition-v1.json │ ├── persistentvolumeclaimlist-v1.json │ ├── persistentvolumeclaimspec-v1.json │ ├── persistentvolumeclaimstatus-v1.json │ ├── persistentvolumeclaimtemplate-v1.json │ ├── persistentvolumeclaimvolumesource-v1.json │ ├── persistentvolumelist-v1.json │ ├── persistentvolumespec-v1.json │ ├── persistentvolumestatus-v1.json │ ├── photonpersistentdiskvolumesource-v1.json │ ├── pod-v1.json │ ├── podaffinity-v1.json │ ├── podaffinityterm-v1.json │ ├── podantiaffinity-v1.json │ ├── podcondition-v1.json │ ├── poddisruptionbudget-policy-v1.json │ ├── poddisruptionbudgetlist-policy-v1.json │ ├── poddisruptionbudgetspec-policy-v1.json │ ├── poddisruptionbudgetstatus-policy-v1.json │ ├── poddnsconfig-v1.json │ ├── poddnsconfigoption-v1.json │ ├── podfailurepolicy-batch-v1.json │ ├── podfailurepolicyonexitcodesrequirement-batch-v1.json │ ├── podfailurepolicyonpodconditionspattern-batch-v1.json │ ├── podfailurepolicyrule-batch-v1.json │ ├── podip-v1.json │ ├── podlist-v1.json │ ├── podos-v1.json │ ├── podreadinessgate-v1.json │ ├── podresourceclaim-v1.json │ ├── podresourceclaimstatus-v1.json │ ├── podschedulinggate-v1.json │ ├── podsecuritycontext-v1.json │ ├── podsmetricsource-autoscaling-v2.json │ ├── podsmetricstatus-autoscaling-v2.json │ ├── podspec-v1.json │ ├── podstatus-v1.json │ ├── podtemplate-v1.json │ ├── podtemplatelist-v1.json │ ├── podtemplatespec-v1.json │ ├── policyrule-rbac-v1.json │ ├── policyruleswithsubjects-flowcontrol-v1.json │ ├── policyruleswithsubjects-flowcontrol-v1beta3.json │ ├── portstatus-v1.json │ ├── portworxvolumesource-v1.json │ ├── preconditions-meta-v1.json │ ├── preferredschedulingterm-v1.json │ ├── priorityclass-scheduling-v1.json │ ├── priorityclasslist-scheduling-v1.json │ ├── prioritylevelconfiguration-flowcontrol-v1.json │ ├── prioritylevelconfiguration-flowcontrol-v1beta3.json │ ├── prioritylevelconfigurationcondition-flowcontrol-v1.json │ ├── prioritylevelconfigurationcondition-flowcontrol-v1beta3.json │ ├── prioritylevelconfigurationlist-flowcontrol-v1.json │ ├── prioritylevelconfigurationlist-flowcontrol-v1beta3.json │ ├── prioritylevelconfigurationreference-flowcontrol-v1.json │ ├── prioritylevelconfigurationreference-flowcontrol-v1beta3.json │ ├── prioritylevelconfigurationspec-flowcontrol-v1.json │ ├── prioritylevelconfigurationspec-flowcontrol-v1beta3.json │ ├── prioritylevelconfigurationstatus-flowcontrol-v1.json │ ├── prioritylevelconfigurationstatus-flowcontrol-v1beta3.json │ ├── probe-v1.json │ ├── projectedvolumesource-v1.json │ ├── quantity-resource.json │ ├── queuingconfiguration-flowcontrol-v1.json │ ├── queuingconfiguration-flowcontrol-v1beta3.json │ ├── quobytevolumesource-v1.json │ ├── rawextension-pkg-runtime.json │ ├── rbdpersistentvolumesource-v1.json │ ├── rbdvolumesource-v1.json │ ├── replicaset-apps-v1.json │ ├── replicasetcondition-apps-v1.json │ ├── replicasetlist-apps-v1.json │ ├── replicasetspec-apps-v1.json │ ├── replicasetstatus-apps-v1.json │ ├── replicationcontroller-v1.json │ ├── replicationcontrollercondition-v1.json │ ├── replicationcontrollerlist-v1.json │ ├── replicationcontrollerspec-v1.json │ ├── replicationcontrollerstatus-v1.json │ ├── resourceattributes-authorization-v1.json │ ├── resourceclaim-v1.json │ ├── resourcefieldselector-v1.json │ ├── resourcemetricsource-autoscaling-v2.json │ ├── resourcemetricstatus-autoscaling-v2.json │ ├── resourcepolicyrule-flowcontrol-v1.json │ ├── resourcepolicyrule-flowcontrol-v1beta3.json │ ├── resourcequota-v1.json │ ├── resourcequotalist-v1.json │ ├── resourcequotaspec-v1.json │ ├── resourcequotastatus-v1.json │ ├── resourcerequirements-v1.json │ ├── resourcerule-authorization-v1.json │ ├── role-rbac-v1.json │ ├── rolebinding-rbac-v1.json │ ├── rolebindinglist-rbac-v1.json │ ├── rolelist-rbac-v1.json │ ├── roleref-rbac-v1.json │ ├── rollingupdatedaemonset-apps-v1.json │ ├── rollingupdatedeployment-apps-v1.json │ ├── rollingupdatestatefulsetstrategy-apps-v1.json │ ├── rulewithoperations-admissionregistration-v1.json │ ├── runtimeclass-node-v1.json │ ├── runtimeclasslist-node-v1.json │ ├── scale-autoscaling-v1.json │ ├── scaleiopersistentvolumesource-v1.json │ ├── scaleiovolumesource-v1.json │ ├── scalespec-autoscaling-v1.json │ ├── scalestatus-autoscaling-v1.json │ ├── scheduling-node-v1.json │ ├── scopedresourceselectorrequirement-v1.json │ ├── scopeselector-v1.json │ ├── seccompprofile-v1.json │ ├── secret-v1.json │ ├── secretenvsource-v1.json │ ├── secretkeyselector-v1.json │ ├── secretlist-v1.json │ ├── secretprojection-v1.json │ ├── secretreference-v1.json │ ├── secretvolumesource-v1.json │ ├── securitycontext-v1.json │ ├── selectablefield-apiextensions-v1.json │ ├── selfsubjectaccessreview-authorization-v1.json │ ├── selfsubjectaccessreviewspec-authorization-v1.json │ ├── selfsubjectreview-authentication-v1.json │ ├── selfsubjectreviewstatus-authentication-v1.json │ ├── selfsubjectrulesreview-authorization-v1.json │ ├── selfsubjectrulesreviewspec-authorization-v1.json │ ├── selinuxoptions-v1.json │ ├── serveraddressbyclientcidr-meta-v1.json │ ├── service-v1.json │ ├── serviceaccount-v1.json │ ├── serviceaccountlist-v1.json │ ├── serviceaccountsubject-flowcontrol-v1.json │ ├── serviceaccountsubject-flowcontrol-v1beta3.json │ ├── serviceaccounttokenprojection-v1.json │ ├── servicebackendport-networking-v1.json │ ├── servicelist-v1.json │ ├── serviceport-v1.json │ ├── servicereference-admissionregistration-v1.json │ ├── servicereference-apiextensions-v1.json │ ├── servicereference-apiregistration-v1.json │ ├── servicespec-v1.json │ ├── servicestatus-v1.json │ ├── sessionaffinityconfig-v1.json │ ├── sleepaction-v1.json │ ├── statefulset-apps-v1.json │ ├── statefulsetcondition-apps-v1.json │ ├── statefulsetlist-apps-v1.json │ ├── statefulsetordinals-apps-v1.json │ ├── statefulsetpersistentvolumeclaimretentionpolicy-apps-v1.json │ ├── statefulsetspec-apps-v1.json │ ├── statefulsetstatus-apps-v1.json │ ├── statefulsetupdatestrategy-apps-v1.json │ ├── status-meta-v1.json │ ├── statuscause-meta-v1.json │ ├── statusdetails-meta-v1.json │ ├── storageclass-storage-v1.json │ ├── storageclasslist-storage-v1.json │ ├── storageospersistentvolumesource-v1.json │ ├── storageosvolumesource-v1.json │ ├── subject-flowcontrol-v1.json │ ├── subject-flowcontrol-v1beta3.json │ ├── subject-rbac-v1.json │ ├── subjectaccessreview-authorization-v1.json │ ├── subjectaccessreviewspec-authorization-v1.json │ ├── subjectaccessreviewstatus-authorization-v1.json │ ├── subjectrulesreviewstatus-authorization-v1.json │ ├── successpolicy-batch-v1.json │ ├── successpolicyrule-batch-v1.json │ ├── sysctl-v1.json │ ├── taint-v1.json │ ├── tcpsocketaction-v1.json │ ├── time-meta-v1.json │ ├── tokenrequest-authentication-v1.json │ ├── tokenrequest-storage-v1.json │ ├── tokenrequestspec-authentication-v1.json │ ├── tokenrequeststatus-authentication-v1.json │ ├── tokenreview-authentication-v1.json │ ├── tokenreviewspec-authentication-v1.json │ ├── tokenreviewstatus-authentication-v1.json │ ├── toleration-v1.json │ ├── topologyselectorlabelrequirement-v1.json │ ├── topologyselectorterm-v1.json │ ├── topologyspreadconstraint-v1.json │ ├── typechecking-admissionregistration-v1.json │ ├── typedlocalobjectreference-v1.json │ ├── typedobjectreference-v1.json │ ├── uncountedterminatedpods-batch-v1.json │ ├── userinfo-authentication-v1.json │ ├── usersubject-flowcontrol-v1.json │ ├── usersubject-flowcontrol-v1beta3.json │ ├── validatingadmissionpolicy-admissionregistration-v1.json │ ├── validatingadmissionpolicybinding-admissionregistration-v1.json │ ├── validatingadmissionpolicybindinglist-admissionregistration-v1.json │ ├── validatingadmissionpolicybindingspec-admissionregistration-v1.json │ ├── validatingadmissionpolicylist-admissionregistration-v1.json │ ├── validatingadmissionpolicyspec-admissionregistration-v1.json │ ├── validatingadmissionpolicystatus-admissionregistration-v1.json │ ├── validatingpolicy-json-v1alpha1.json │ ├── validatingpolicylist-json-v1alpha1.json │ ├── validatingwebhook-admissionregistration-v1.json │ ├── validatingwebhookconfiguration-admissionregistration-v1.json │ ├── validatingwebhookconfigurationlist-admissionregistration-v1.json │ ├── validation-admissionregistration-v1.json │ ├── validationrule-apiextensions-v1.json │ ├── variable-admissionregistration-v1.json │ ├── volume-v1.json │ ├── volumeattachment-storage-v1.json │ ├── volumeattachmentlist-storage-v1.json │ ├── volumeattachmentsource-storage-v1.json │ ├── volumeattachmentspec-storage-v1.json │ ├── volumeattachmentstatus-storage-v1.json │ ├── volumedevice-v1.json │ ├── volumeerror-storage-v1.json │ ├── volumemount-v1.json │ ├── volumemountstatus-v1.json │ ├── volumenodeaffinity-v1.json │ ├── volumenoderesources-storage-v1.json │ ├── volumeprojection-v1.json │ ├── volumeresourcerequirements-v1.json │ ├── vspherevirtualdiskvolumesource-v1.json │ ├── watchevent-meta-v1.json │ ├── webhookclientconfig-admissionregistration-v1.json │ ├── webhookclientconfig-apiextensions-v1.json │ ├── webhookconversion-apiextensions-v1.json │ ├── weightedpodaffinityterm-v1.json │ └── windowssecuritycontextoptions-v1.json └── openapi │ ├── v2 │ └── schema.json │ └── v3 │ └── apis │ └── json.kyverno.io │ └── v1alpha1.json ├── .vscode └── launch.json ├── LICENSE ├── Makefile ├── README.md ├── catalog ├── dockerfile │ ├── dockerfile-deny-expose-22.yaml │ ├── dockerfile-deny-latest-image.yaml │ ├── dockerfile-disallow-apt.yaml │ ├── dockerfile-disallow-last-user-root.yaml │ └── dockerfile-disallow-sudo.yaml └── ecs │ ├── ecs-cluster-enable-logging.yaml │ ├── ecs-cluster-required-container-insights.yaml │ ├── ecs-service-public-ip.yaml │ ├── ecs-service-required-latest-platform-fargate.yaml │ ├── ecs-task-definition-fs-read-only.yaml │ └── policy-1.yaml ├── charts └── kyverno-json │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── clusterroles.yaml │ ├── crds.yaml │ ├── deployment.yaml │ ├── hpa.yaml │ ├── ingress.yaml │ ├── service.yaml │ └── serviceaccount.yaml │ └── values.yaml ├── codecov.yml ├── go.mod ├── go.sum ├── kyverno-json.rb ├── main.go ├── pkg ├── apis │ ├── doc.go │ └── policy │ │ └── v1alpha1 │ │ ├── any.go │ │ ├── any_test.go │ │ ├── assert.go │ │ ├── assertion.go │ │ ├── assertion_tree.go │ │ ├── compiler.go │ │ ├── context_entry.go │ │ ├── doc.go │ │ ├── feedback.go │ │ ├── match.go │ │ ├── message.go │ │ ├── validating_policy.go │ │ ├── validating_policy_spec.go │ │ ├── validating_rule.go │ │ ├── zz_generated.deepcopy.go │ │ └── zz_generated.register.go ├── catalog │ └── metadata.go ├── client │ ├── clientset │ │ └── versioned │ │ │ ├── clientset.go │ │ │ ├── fake │ │ │ ├── clientset_generated.go │ │ │ ├── doc.go │ │ │ └── register.go │ │ │ ├── scheme │ │ │ ├── doc.go │ │ │ └── register.go │ │ │ └── typed │ │ │ └── policy │ │ │ └── v1alpha1 │ │ │ ├── doc.go │ │ │ ├── fake │ │ │ ├── doc.go │ │ │ ├── fake_policy_client.go │ │ │ └── fake_validatingpolicy.go │ │ │ ├── generated_expansion.go │ │ │ ├── policy_client.go │ │ │ └── validatingpolicy.go │ ├── informers │ │ └── externalversions │ │ │ ├── factory.go │ │ │ ├── generic.go │ │ │ ├── internalinterfaces │ │ │ └── factory_interfaces.go │ │ │ └── policy │ │ │ ├── interface.go │ │ │ └── v1alpha1 │ │ │ ├── interface.go │ │ │ └── validatingpolicy.go │ └── listers │ │ └── policy │ │ └── v1alpha1 │ │ ├── expansion_generated.go │ │ └── validatingpolicy.go ├── command │ ├── command.go │ ├── example.go │ └── option.go ├── commands │ ├── docs │ │ ├── command.go │ │ ├── command_test.go │ │ ├── options.go │ │ └── utils.go │ ├── jp │ │ ├── command.go │ │ ├── command_test.go │ │ ├── function │ │ │ ├── command.go │ │ │ └── command_test.go │ │ ├── parse │ │ │ ├── command.go │ │ │ └── command_test.go │ │ └── query │ │ │ ├── command.go │ │ │ └── command_test.go │ ├── playground │ │ ├── command.go │ │ └── options.go │ ├── root.go │ ├── root_test.go │ ├── scan │ │ ├── command.go │ │ ├── command_test.go │ │ ├── options.go │ │ ├── output.go │ │ └── report.go │ ├── serve │ │ ├── command.go │ │ ├── options.go │ │ └── provider.go │ └── version │ │ ├── command.go │ │ └── command_test.go ├── core │ ├── assertion │ │ ├── assertion.go │ │ └── assertion_test.go │ ├── compilers │ │ ├── cel │ │ │ ├── cel.go │ │ │ ├── cel_test.go │ │ │ ├── env.go │ │ │ └── val.go │ │ ├── compiler.go │ │ ├── compilers.go │ │ └── jp │ │ │ ├── jp.go │ │ │ └── options.go │ ├── expression │ │ ├── expression.go │ │ └── expression_test.go │ ├── matching │ │ ├── equal.go │ │ ├── match.go │ │ ├── number.go │ │ └── number_test.go │ ├── message │ │ └── message.go │ └── projection │ │ ├── projection.go │ │ └── projection_test.go ├── data │ ├── crds │ │ └── json.kyverno.io_validatingpolicies.yaml │ ├── data.go │ └── data_test.go ├── engine │ ├── blocks │ │ ├── constant │ │ │ └── constant.go │ │ └── function │ │ │ └── function.go │ ├── builder │ │ └── builder.go │ └── engine.go ├── jp │ ├── functions.go │ ├── functions │ │ ├── at.go │ │ ├── concat.go │ │ ├── functions.go │ │ ├── json_parse.go │ │ └── wildcard.go │ └── kyverno │ │ ├── arithmetic.go │ │ ├── arithmetic_test.go │ │ ├── error.go │ │ ├── functionentry.go │ │ ├── functionentry_test.go │ │ ├── functions.go │ │ ├── functions_test.go │ │ ├── time.go │ │ ├── time_test.go │ │ ├── utils.go │ │ └── utils_test.go ├── json-engine │ ├── compiler.go │ ├── engine.go │ └── model.go ├── payload │ └── load.go ├── policy │ ├── load.go │ └── load_test.go ├── server │ ├── linux.go │ ├── model │ │ └── response.go │ ├── playground │ │ ├── handler.go │ │ ├── request.go │ │ └── routes.go │ ├── scan │ │ ├── config.go │ │ ├── handler.go │ │ ├── request.go │ │ └── routes.go │ ├── server.go │ ├── ui │ │ ├── dist │ │ │ └── assets │ │ │ │ └── data.json │ │ ├── embed.go │ │ └── routes.go │ └── wasm.go ├── utils │ ├── copy │ │ └── deep_copy.go │ ├── hash │ │ └── hash.go │ ├── reflect │ │ ├── kind.go │ │ └── kind_test.go │ └── rest │ │ ├── rest.go │ │ └── rest_test.go └── version │ ├── version.go │ └── version_test.go ├── playground-examples.yaml ├── requirements.txt ├── test ├── .kube │ └── config ├── api │ ├── README.md │ └── go │ │ └── main │ │ └── main.go ├── commands │ ├── scan │ │ ├── bindings │ │ │ ├── bindings.yaml │ │ │ ├── out.txt │ │ │ ├── payload.yaml │ │ │ └── policy.yaml │ │ ├── cel │ │ │ ├── out.txt │ │ │ ├── payload.yaml │ │ │ └── policy.yaml │ │ ├── dockerfile │ │ │ ├── Dockerfile │ │ │ ├── README.md │ │ │ ├── out.txt │ │ │ ├── payload.json │ │ │ └── policy.yaml │ │ ├── escaped │ │ │ ├── out.txt │ │ │ ├── payload.yaml │ │ │ └── policy.yaml │ │ ├── foo-bar │ │ │ ├── out.txt │ │ │ ├── payload.yaml │ │ │ └── policy.yaml │ │ ├── payload-yaml │ │ │ ├── out.txt │ │ │ ├── payload.yaml │ │ │ └── policy.yaml │ │ ├── pod-all-latest │ │ │ ├── out.txt │ │ │ ├── payload.yaml │ │ │ └── policy.yaml │ │ ├── pod-no-latest │ │ │ ├── out.txt │ │ │ ├── payload.yaml │ │ │ └── policy.yaml │ │ ├── scripted │ │ │ ├── out.txt │ │ │ ├── payload.yaml │ │ │ └── policy.yaml │ │ ├── tf-ec2 │ │ │ ├── ec2.tf │ │ │ ├── out.txt │ │ │ ├── payload.json │ │ │ └── policy.yaml │ │ ├── tf-ecs-cluster │ │ │ ├── 01-out.txt │ │ │ ├── 01-policy.yaml │ │ │ ├── 02-out.txt │ │ │ ├── 02-policy.yaml │ │ │ ├── main.tf │ │ │ └── payload.json │ │ ├── tf-ecs-service │ │ │ ├── 01-out.txt │ │ │ ├── 01-policy.yaml │ │ │ ├── 02-out.txt │ │ │ ├── 02-policy.yaml │ │ │ ├── main.tf │ │ │ └── payload.json │ │ ├── tf-ecs-task-definition │ │ │ ├── main.tf │ │ │ ├── out.txt │ │ │ ├── payload.json │ │ │ └── policy.yaml │ │ ├── tf-plan │ │ │ ├── out.txt │ │ │ ├── payload.json │ │ │ └── policy.yaml │ │ ├── tf-s3 │ │ │ ├── bucket.tf │ │ │ ├── out.txt │ │ │ ├── payload.json │ │ │ └── policy.yaml │ │ └── wildcard │ │ │ ├── out.txt │ │ │ ├── payload.json │ │ │ └── policy.yaml │ └── version │ │ ├── help.txt │ │ └── out.txt └── policy │ ├── bad-rule.yaml │ ├── configmap.yaml │ ├── empty.yaml │ ├── multiple.yaml │ ├── no-rules.yaml │ ├── no-spec.yaml │ ├── ok.yaml │ └── rule-name-missing.yaml ├── wasm └── main.go └── website ├── apis ├── config.yaml └── markdown │ ├── members.tpl │ ├── pkg.tpl │ └── type.tpl ├── catalog └── main.go ├── docs ├── apis │ └── kyverno-json.v1alpha1.md ├── catalog │ ├── index.md │ └── policies │ │ ├── dockerfile │ │ ├── dockerfile-deny-expose-22.md │ │ ├── dockerfile-deny-latest-image.md │ │ ├── dockerfile-disallow-apt.md │ │ ├── dockerfile-disallow-last-user-root.md │ │ └── dockerfile-disallow-sudo.md │ │ └── ecs │ │ ├── ecs-cluster-enable-logging.md │ │ ├── ecs-cluster-required-container-insights.md │ │ ├── ecs-service-public-ip.md │ │ ├── ecs-service-required-latest-platform-fargate.md │ │ ├── ecs-task-definition-fs-read-only.md │ │ └── policy-1.md ├── cli │ ├── commands │ │ ├── kyverno-json.md │ │ ├── kyverno-json_completion.md │ │ ├── kyverno-json_completion_bash.md │ │ ├── kyverno-json_completion_fish.md │ │ ├── kyverno-json_completion_powershell.md │ │ ├── kyverno-json_completion_zsh.md │ │ ├── kyverno-json_docs.md │ │ ├── kyverno-json_jp.md │ │ ├── kyverno-json_jp_function.md │ │ ├── kyverno-json_jp_parse.md │ │ ├── kyverno-json_jp_query.md │ │ ├── kyverno-json_playground.md │ │ ├── kyverno-json_scan.md │ │ ├── kyverno-json_serve.md │ │ └── kyverno-json_version.md │ └── index.md ├── go-library │ └── index.md ├── index.md ├── install.md ├── intro.md ├── jp.md ├── jp │ └── functions.md ├── overrides │ ├── home.html │ └── main.html ├── playground.md ├── policies │ ├── asserts.md │ └── policies.md ├── quick-start.md ├── static │ ├── extra.css │ ├── favicon.ico │ └── kyverno-json-logo.png └── webapp │ └── index.md ├── jp └── main.go ├── mkdocs.base.yaml ├── mkdocs.yaml ├── nav.gotmpl ├── playground-examples └── main.go ├── playground ├── assets │ ├── css │ │ └── styles.css │ ├── data.json │ ├── img │ │ ├── favicon.ico │ │ ├── github.svg │ │ └── kyverno-json-logo.png │ └── js │ │ ├── editor.js │ │ └── main.js ├── dist │ ├── nice-select2.css │ ├── nice-select2.js │ └── wasm_exec.js ├── index.html └── sw.js └── policy.gotmpl /.assets/kyverno-json-horizontal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyverno/kyverno-json/bd9932a0f94638621565e4ebf503cffeb76862f3/.assets/kyverno-json-horizontal.png -------------------------------------------------------------------------------- /.assets/kyverno-json-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyverno/kyverno-json/bd9932a0f94638621565e4ebf503cffeb76862f3/.assets/kyverno-json-logo.png -------------------------------------------------------------------------------- /.assets/kyverno-json-logo.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyverno/kyverno-json/bd9932a0f94638621565e4ebf503cffeb76862f3/.assets/kyverno-json-logo.pptx -------------------------------------------------------------------------------- /.docs/PLAYGROUND_EXAMPLES.md: -------------------------------------------------------------------------------- 1 | # Playground examples docs 2 | 3 | This docs contains information to manage playground examples. 4 | 5 | ## Modify playground examples 6 | 7 | To add, update or remove a playground example edit the [playground-examples.yaml](../playground-examples.yaml) file. 8 | 9 | This file contains two nested maps, first level is the example category and second level is example name: 10 | 11 | ```yaml 12 | example category 1: 13 | example name 1: 14 | policy: path/to/policy/file (yaml or json) 15 | payload: path/to/payload/file (yaml or json) 16 | example name 2: 17 | policy: path/to/policy/file (yaml or json) 18 | payload: path/to/payload/file (yaml or json) 19 | example category 2: 20 | # ... 21 | ``` 22 | 23 | Once the file edited, run `make codegen-playground-examples` to update the [data.json](../website/playground/assets/data.json) file. 24 | -------------------------------------------------------------------------------- /.docs/RELEASE.md: -------------------------------------------------------------------------------- 1 | # Release docs 2 | 3 | This docs contains information for releasing. 4 | 5 | ## Create a release 6 | 7 | Creating a release can be done by pushing a tag to the GitHub repository (begining with `v`). 8 | 9 | The [release workflow](../.github/workflows/release.yaml) will take care of creating the GitHub release and will publish artifacts. 10 | 11 | ```shell 12 | VERSION="v0.1.0" 13 | TAG=$VERSION 14 | 15 | git tag $TAG -m "tag $TAG" -a 16 | git push origin $TAG 17 | ``` 18 | 19 | ## Release notes 20 | 21 | Release notes for the `main` branch lives in [main.md](../.release-notes/main.md). 22 | 23 | Make sure it is up to date and rename the file to the version being released. 24 | 25 | You can then copy [_template.md](../.release-notes/_template.md) to [main.md](../.release-notes/main.md) for the next release. 26 | 27 | ## Publish documentation 28 | 29 | Publishing the documentation for a release is decoupled from cutting a release. 30 | 31 | To publish the documentation push a tag to the GitHub repository (begining with `docs-v`). 32 | 33 | ```shell 34 | VERSION="v0.1.0" 35 | TAG=docs-$VERSION 36 | 37 | git tag $TAG -m "tag $TAG" -a 38 | git push origin $TAG 39 | ``` 40 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/VULN-TEMPLATE.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Vulnerabilities detected 3 | labels: security 4 | --- 5 | High or critical vulnerabilities detected. Scan results are below: 6 | 7 | {{ env.RESULTS }} 8 | -------------------------------------------------------------------------------- /.github/cherry-pick-bot.yml: -------------------------------------------------------------------------------- 1 | enabled: true 2 | preservePullRequestTitle: true 3 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: gomod 4 | directory: / 5 | schedule: 6 | interval: daily 7 | - package-ecosystem: github-actions 8 | directory: / 9 | schedule: 10 | interval: daily 11 | -------------------------------------------------------------------------------- /.github/workflows/ah-lint.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 2 | 3 | name: ArtifactHub Lint 4 | 5 | permissions: {} 6 | 7 | on: 8 | pull_request: 9 | branches: 10 | - '*' 11 | 12 | concurrency: 13 | group: ${{ github.workflow }}-${{ github.ref }} 14 | cancel-in-progress: true 15 | 16 | jobs: 17 | ah-lint: 18 | runs-on: ubuntu-latest 19 | container: 20 | image: artifacthub/ah 21 | options: --user root 22 | steps: 23 | - name: Checkout 24 | uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 25 | - name: Run ah lint 26 | working-directory: ./charts/ 27 | run: | 28 | set -e 29 | ah lint 30 | -------------------------------------------------------------------------------- /.github/workflows/check-actions.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 2 | 3 | name: Check actions 4 | 5 | permissions: {} 6 | 7 | on: 8 | pull_request: 9 | branches: 10 | - 'main' 11 | - 'release*' 12 | 13 | jobs: 14 | check-actions: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: Checkout 18 | uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 19 | - name: Ensure SHA pinned actions 20 | uses: zgosalvez/github-actions-ensure-sha-pinned-actions@40ba2d51b6b6d8695f2b6bd74e785172d4f8d00f # v3.0.14 21 | with: 22 | # slsa-github-generator requires using a semver tag for reusable workflows. 23 | # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators 24 | allowlist: | 25 | slsa-framework/slsa-github-generator 26 | kyverno/kyverno-json 27 | -------------------------------------------------------------------------------- /.github/workflows/codegen.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 2 | 3 | name: Verify codegen 4 | 5 | permissions: {} 6 | 7 | on: 8 | pull_request: 9 | branches: 10 | - 'main' 11 | - 'release*' 12 | 13 | concurrency: 14 | group: ${{ github.workflow }}-${{ github.ref }} 15 | cancel-in-progress: true 16 | 17 | jobs: 18 | verify-codegen: 19 | runs-on: ubuntu-latest 20 | steps: 21 | - name: Checkout 22 | uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 23 | - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 24 | with: 25 | go-version-file: go.mod 26 | cache-dependency-path: go.sum 27 | - name: Verify codegen 28 | run: | 29 | set -e 30 | make verify-codegen 31 | -------------------------------------------------------------------------------- /.github/workflows/ct-lint.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 2 | 3 | name: CT Lint 4 | 5 | permissions: {} 6 | 7 | on: 8 | pull_request: 9 | branches: 10 | - '*' 11 | 12 | concurrency: 13 | group: ${{ github.workflow }}-${{ github.ref }} 14 | cancel-in-progress: true 15 | 16 | jobs: 17 | ct-lint: 18 | runs-on: ubuntu-latest 19 | steps: 20 | - name: Checkout 21 | uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 22 | with: 23 | fetch-depth: 0 24 | - name: Set up Helm 25 | uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 26 | - name: Setup python 27 | uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 28 | with: 29 | python-version: 3.7 30 | - name: Set up chart-testing 31 | uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 32 | - name: Run chart-testing (lint) 33 | run: | 34 | set -e 35 | ct lint --target-branch=main --check-version-increment=false 36 | -------------------------------------------------------------------------------- /.github/workflows/docs-main.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 2 | 3 | name: Dev docs 4 | 5 | permissions: {} 6 | 7 | on: 8 | push: 9 | branches: 10 | - main 11 | 12 | concurrency: 13 | group: ${{ github.workflow }}-${{ github.ref }} 14 | cancel-in-progress: true 15 | 16 | jobs: 17 | docs: 18 | runs-on: ubuntu-latest 19 | permissions: 20 | contents: write 21 | steps: 22 | - name: Checkout 23 | uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 24 | - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 25 | with: 26 | go-version-file: go.mod 27 | cache-dependency-path: go.sum 28 | - name: Build site 29 | run: | 30 | set -e 31 | make codegen-mkdocs 32 | - name: Deploy site 33 | run: | 34 | set -e 35 | git fetch origin gh-pages --depth=1 36 | git config user.name ci-bot 37 | git config user.email ci-bot@example.com 38 | mike deploy -F ./website/mkdocs.yaml --push --update-aliases main dev 39 | -------------------------------------------------------------------------------- /.github/workflows/helm-install.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 2 | 3 | name: Helm install 4 | 5 | permissions: {} 6 | 7 | on: 8 | pull_request: 9 | branches: 10 | - '*' 11 | 12 | concurrency: 13 | group: ${{ github.workflow }}-${{ github.ref }} 14 | cancel-in-progress: true 15 | 16 | jobs: 17 | helm-install: 18 | runs-on: ubuntu-latest 19 | steps: 20 | - name: Checkout 21 | uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 22 | - name: Set up Go 23 | uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 24 | with: 25 | go-version-file: go.mod 26 | cache-dependency-path: go.sum 27 | - name: Create cluster 28 | run: | 29 | set -e 30 | make kind-create 31 | - name: Install chart 32 | run: | 33 | set -e 34 | make kind-install 35 | -------------------------------------------------------------------------------- /.github/workflows/helm-release.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 2 | 3 | name: Helm Release 4 | 5 | permissions: {} 6 | 7 | on: 8 | push: 9 | tags: 10 | - 'chart-v*' 11 | 12 | jobs: 13 | chart-releaser: 14 | runs-on: ubuntu-latest 15 | permissions: 16 | contents: write 17 | pages: write 18 | steps: 19 | - name: Checkout 20 | uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 21 | - name: Install Helm 22 | uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 23 | - name: Set version 24 | run: | 25 | set -e 26 | TAG=${{ github.ref_name }} 27 | echo "CHART_VERSION=${TAG#chart-}" >> $GITHUB_ENV 28 | - name: Run chart-releaser 29 | uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 #v1.7.0 30 | with: 31 | token: ${{ secrets.GITHUB_TOKEN }} 32 | linting: off 33 | charts_dir: charts 34 | chart_version: ${{ env.CHART_VERSION }} 35 | -------------------------------------------------------------------------------- /.github/workflows/lint.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 2 | 3 | name: Lint 4 | 5 | permissions: {} 6 | 7 | on: 8 | pull_request: 9 | branches: 10 | - 'main' 11 | - 'release*' 12 | 13 | concurrency: 14 | group: ${{ github.workflow }}-${{ github.ref }} 15 | cancel-in-progress: true 16 | 17 | jobs: 18 | lint: 19 | runs-on: ubuntu-latest 20 | steps: 21 | - name: Checkout 22 | uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 23 | - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 24 | with: 25 | go-version-file: go.mod 26 | cache-dependency-path: go.sum 27 | - name: golangci-lint 28 | uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v3.7.1 29 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store/ 2 | .gopath/ 3 | .tools/ 4 | .venv/ 5 | coverage.out 6 | dist/ 7 | /kyverno-json 8 | /pkg/server/ui/dist/assets/main.wasm 9 | /website/docs/_playground 10 | /website/playground/assets/main.wasm 11 | /website/site 12 | -------------------------------------------------------------------------------- /.golangci.yml: -------------------------------------------------------------------------------- 1 | linters: 2 | enable: 3 | - asasalint 4 | - asciicheck 5 | - bidichk 6 | - bodyclose 7 | - containedctx 8 | - decorder 9 | - dogsled 10 | - durationcheck 11 | - errcheck 12 | - errname 13 | - exportloopref 14 | - gci 15 | - gochecknoinits 16 | - gofmt 17 | - gofumpt 18 | - goimports 19 | - goprintffuncname 20 | - gosec 21 | - gosimple 22 | - govet 23 | - grouper 24 | - importas 25 | - ineffassign 26 | - makezero 27 | - misspell 28 | - noctx 29 | - nolintlint 30 | - nosprintfhostport 31 | # - paralleltest 32 | - staticcheck 33 | - tenv 34 | - thelper 35 | - tparallel 36 | - typecheck 37 | - unconvert 38 | - unused 39 | - wastedassign 40 | - whitespace 41 | 42 | run: 43 | timeout: 15m 44 | skip-files: 45 | - ".+\\.generated.go" 46 | -------------------------------------------------------------------------------- /.hack/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | -------------------------------------------------------------------------------- /.release-notes/_template.md: -------------------------------------------------------------------------------- 1 | # Release notes 2 | 3 | Release notes for `TODO`. 4 | 5 | 22 | -------------------------------------------------------------------------------- /.release-notes/main.md: -------------------------------------------------------------------------------- 1 | # Release notes 2 | 3 | Release notes for `TODO`. 4 | 5 | 22 | -------------------------------------------------------------------------------- /.release-notes/v0.0.1.md: -------------------------------------------------------------------------------- 1 | # Release notes 2 | 3 | Release notes for `v0.0.1`. 4 | 5 | ## :dizzy: New features :dizzy: 6 | 7 | - Policy catalog added 8 | 9 | ## :star: Examples :star: 10 | 11 | - Example to work with `DOCKERFILE` added 12 | 13 | ## :guitar: Misc :guitar: 14 | 15 | - Escaping projections now use `\` instead of `/` 16 | - JSON and openapi schemas are now available 17 | - First release :tada: -------------------------------------------------------------------------------- /.release-notes/v0.0.2.md: -------------------------------------------------------------------------------- 1 | # Release notes 2 | 3 | Release notes for `v0.0.2`. 4 | 5 | ## 💫 New features 💫 6 | 7 | - Kyverno-JSON is now available via brew 8 | - Added a GitHub action to install Kyverno-JSON 9 | 10 | ## 🔧 Fixes 🔧 11 | 12 | - Fixed an index not found error 13 | 14 | ## 📚 Docs 📚 15 | 16 | - Added multi-version docs support 17 | -------------------------------------------------------------------------------- /.schemas/json/attachedvolume-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "AttachedVolume describes a volume attached to a node", 3 | "type": "object", 4 | "required": [ 5 | "name", 6 | "devicePath" 7 | ], 8 | "properties": { 9 | "devicePath": { 10 | "description": "DevicePath represents the device path where the volume should be available", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "name": { 17 | "description": "Name of the attached volume", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/azurefilevolumesource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "AzureFile represents an Azure File Service mount on the host and bind mount to the pod.", 3 | "type": "object", 4 | "required": [ 5 | "secretName", 6 | "shareName" 7 | ], 8 | "properties": { 9 | "readOnly": { 10 | "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", 11 | "type": [ 12 | "boolean", 13 | "null" 14 | ] 15 | }, 16 | "secretName": { 17 | "description": "secretName is the name of secret that contains Azure Storage Account Name and Key", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | }, 23 | "shareName": { 24 | "description": "shareName is the azure share Name", 25 | "type": [ 26 | "string", 27 | "null" 28 | ] 29 | } 30 | }, 31 | "$schema": "http://json-schema.org/schema#" 32 | } -------------------------------------------------------------------------------- /.schemas/json/boundobjectreference-authentication-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "BoundObjectReference is a reference to an object that a token is bound to.", 3 | "type": "object", 4 | "properties": { 5 | "apiVersion": { 6 | "description": "API version of the referent.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "kind": { 13 | "description": "Kind of the referent. Valid kinds are 'Pod' and 'Secret'.", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | }, 19 | "name": { 20 | "description": "Name of the referent.", 21 | "type": [ 22 | "string", 23 | "null" 24 | ] 25 | }, 26 | "uid": { 27 | "description": "UID of the referent.", 28 | "type": [ 29 | "string", 30 | "null" 31 | ] 32 | } 33 | }, 34 | "$schema": "http://json-schema.org/schema#" 35 | } -------------------------------------------------------------------------------- /.schemas/json/capabilities-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Adds and removes POSIX capabilities from running containers.", 3 | "type": "object", 4 | "properties": { 5 | "add": { 6 | "description": "Added capabilities", 7 | "type": [ 8 | "array", 9 | "null" 10 | ], 11 | "items": { 12 | "type": [ 13 | "string", 14 | "null" 15 | ] 16 | }, 17 | "x-kubernetes-list-type": "atomic" 18 | }, 19 | "drop": { 20 | "description": "Removed capabilities", 21 | "type": [ 22 | "array", 23 | "null" 24 | ], 25 | "items": { 26 | "type": [ 27 | "string", 28 | "null" 29 | ] 30 | }, 31 | "x-kubernetes-list-type": "atomic" 32 | } 33 | }, 34 | "$schema": "http://json-schema.org/schema#" 35 | } -------------------------------------------------------------------------------- /.schemas/json/clientipconfig-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ClientIPConfig represents the configurations of Client IP based session affinity.", 3 | "type": "object", 4 | "properties": { 5 | "timeoutSeconds": { 6 | "description": "timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be >0 && <=86400(for 1 day) if ServiceAffinity == \"ClientIP\". Default value is 10800(for 3 hours).", 7 | "type": [ 8 | "integer", 9 | "null" 10 | ], 11 | "format": "int32" 12 | } 13 | }, 14 | "$schema": "http://json-schema.org/schema#" 15 | } -------------------------------------------------------------------------------- /.schemas/json/componentcondition-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Information about the condition of a component.", 3 | "type": "object", 4 | "required": [ 5 | "type", 6 | "status" 7 | ], 8 | "properties": { 9 | "error": { 10 | "description": "Condition error code for a component. For example, a health check error code.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "message": { 17 | "description": "Message about the condition for a component. For example, information about a health check.", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | }, 23 | "status": { 24 | "description": "Status of the condition for a component. Valid values for \"Healthy\": \"True\", \"False\", or \"Unknown\".", 25 | "type": [ 26 | "string", 27 | "null" 28 | ] 29 | }, 30 | "type": { 31 | "description": "Type of condition for a component. Valid value: \"Healthy\"", 32 | "type": [ 33 | "string", 34 | "null" 35 | ] 36 | } 37 | }, 38 | "$schema": "http://json-schema.org/schema#" 39 | } -------------------------------------------------------------------------------- /.schemas/json/configmapenvsource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.\n\nThe contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.", 3 | "type": "object", 4 | "properties": { 5 | "name": { 6 | "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "optional": { 13 | "description": "Specify whether the ConfigMap must be defined", 14 | "type": [ 15 | "boolean", 16 | "null" 17 | ] 18 | } 19 | }, 20 | "$schema": "http://json-schema.org/schema#" 21 | } -------------------------------------------------------------------------------- /.schemas/json/configmapkeyselector-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Selects a key from a ConfigMap.", 3 | "type": "object", 4 | "required": [ 5 | "key" 6 | ], 7 | "properties": { 8 | "key": { 9 | "description": "The key to select.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "name": { 16 | "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", 17 | "type": [ 18 | "string", 19 | "null" 20 | ] 21 | }, 22 | "optional": { 23 | "description": "Specify whether the ConfigMap or its key must be defined", 24 | "type": [ 25 | "boolean", 26 | "null" 27 | ] 28 | } 29 | }, 30 | "x-kubernetes-map-type": "atomic", 31 | "$schema": "http://json-schema.org/schema#" 32 | } -------------------------------------------------------------------------------- /.schemas/json/containerimage-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Describe a container image", 3 | "type": "object", 4 | "properties": { 5 | "names": { 6 | "description": "Names by which this image is known. e.g. [\"kubernetes.example/hyperkube:v1.0.7\", \"cloud-vendor.registry.example/cloud-vendor/hyperkube:v1.0.7\"]", 7 | "type": [ 8 | "array", 9 | "null" 10 | ], 11 | "items": { 12 | "type": [ 13 | "string", 14 | "null" 15 | ] 16 | }, 17 | "x-kubernetes-list-type": "atomic" 18 | }, 19 | "sizeBytes": { 20 | "description": "The size of the image in bytes.", 21 | "type": [ 22 | "integer", 23 | "null" 24 | ], 25 | "format": "int64" 26 | } 27 | }, 28 | "$schema": "http://json-schema.org/schema#" 29 | } -------------------------------------------------------------------------------- /.schemas/json/containerresizepolicy-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ContainerResizePolicy represents resource resize policy for the container.", 3 | "type": "object", 4 | "required": [ 5 | "resourceName", 6 | "restartPolicy" 7 | ], 8 | "properties": { 9 | "resourceName": { 10 | "description": "Name of the resource to which this resource resize policy applies. Supported values: cpu, memory.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "restartPolicy": { 17 | "description": "Restart policy to apply when specified resource is resized. If not specified, it defaults to NotRequired.", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/containerstaterunning-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ContainerStateRunning is a running state of a container.", 3 | "type": "object", 4 | "properties": { 5 | "startedAt": { 6 | "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ], 11 | "format": "date-time" 12 | } 13 | }, 14 | "$schema": "http://json-schema.org/schema#" 15 | } -------------------------------------------------------------------------------- /.schemas/json/containerstatewaiting-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ContainerStateWaiting is a waiting state of a container.", 3 | "type": "object", 4 | "properties": { 5 | "message": { 6 | "description": "Message regarding why the container is not yet running.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "reason": { 13 | "description": "(brief) reason the container is not yet running.", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | } 19 | }, 20 | "$schema": "http://json-schema.org/schema#" 21 | } -------------------------------------------------------------------------------- /.schemas/json/crossversionobjectreference-autoscaling-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "CrossVersionObjectReference contains enough information to let you identify the referred resource.", 3 | "type": "object", 4 | "required": [ 5 | "kind", 6 | "name" 7 | ], 8 | "properties": { 9 | "apiVersion": { 10 | "description": "apiVersion is the API version of the referent", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "kind": { 17 | "description": "kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | }, 23 | "name": { 24 | "description": "name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", 25 | "type": [ 26 | "string", 27 | "null" 28 | ] 29 | } 30 | }, 31 | "x-kubernetes-map-type": "atomic", 32 | "$schema": "http://json-schema.org/schema#" 33 | } -------------------------------------------------------------------------------- /.schemas/json/crossversionobjectreference-autoscaling-v2.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "CrossVersionObjectReference contains enough information to let you identify the referred resource.", 3 | "type": "object", 4 | "required": [ 5 | "kind", 6 | "name" 7 | ], 8 | "properties": { 9 | "apiVersion": { 10 | "description": "apiVersion is the API version of the referent", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "kind": { 17 | "description": "kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | }, 23 | "name": { 24 | "description": "name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", 25 | "type": [ 26 | "string", 27 | "null" 28 | ] 29 | } 30 | }, 31 | "$schema": "http://json-schema.org/schema#" 32 | } -------------------------------------------------------------------------------- /.schemas/json/customresourcesubresourcestatus-apiextensions-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. Status is represented by the `.status` JSON path inside of a CustomResource. When set, * exposes a /status subresource for the custom resource * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza", 3 | "type": "object", 4 | "$schema": "http://json-schema.org/schema#" 5 | } -------------------------------------------------------------------------------- /.schemas/json/daemonendpoint-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "DaemonEndpoint contains information about a single Daemon endpoint.", 3 | "type": "object", 4 | "required": [ 5 | "Port" 6 | ], 7 | "properties": { 8 | "Port": { 9 | "description": "Port number of the given endpoint.", 10 | "type": [ 11 | "integer", 12 | "null" 13 | ], 14 | "format": "int32" 15 | } 16 | }, 17 | "$schema": "http://json-schema.org/schema#" 18 | } -------------------------------------------------------------------------------- /.schemas/json/emptydirvolumesource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Represents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.", 3 | "type": "object", 4 | "properties": { 5 | "medium": { 6 | "description": "medium represents what type of storage medium should back this directory. The default is \"\" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "sizeLimit": { 13 | "oneOf": [ 14 | { 15 | "type": [ 16 | "string", 17 | "null" 18 | ] 19 | }, 20 | { 21 | "type": [ 22 | "number", 23 | "null" 24 | ] 25 | } 26 | ] 27 | } 28 | }, 29 | "$schema": "http://json-schema.org/schema#" 30 | } -------------------------------------------------------------------------------- /.schemas/json/endpointhints-discovery-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "EndpointHints provides hints describing how an endpoint should be consumed.", 3 | "type": "object", 4 | "properties": { 5 | "forZones": { 6 | "description": "forZones indicates the zone(s) this endpoint should be consumed by to enable topology aware routing.", 7 | "type": [ 8 | "array", 9 | "null" 10 | ], 11 | "items": { 12 | "description": "ForZone provides information about which zones should consume this endpoint.", 13 | "type": [ 14 | "object", 15 | "null" 16 | ], 17 | "required": [ 18 | "name" 19 | ], 20 | "properties": { 21 | "name": { 22 | "description": "name represents the name of the zone.", 23 | "type": "string" 24 | } 25 | } 26 | }, 27 | "x-kubernetes-list-type": "atomic" 28 | } 29 | }, 30 | "$schema": "http://json-schema.org/schema#" 31 | } -------------------------------------------------------------------------------- /.schemas/json/eventseries-events-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "EventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time. How often to update the EventSeries is up to the event reporters. The default event reporter in \"k8s.io/client-go/tools/events/event_broadcaster.go\" shows how this struct is updated on heartbeats and can guide customized reporter implementations.", 3 | "type": "object", 4 | "required": [ 5 | "count", 6 | "lastObservedTime" 7 | ], 8 | "properties": { 9 | "count": { 10 | "description": "count is the number of occurrences in this series up to the last heartbeat time.", 11 | "type": [ 12 | "integer", 13 | "null" 14 | ], 15 | "format": "int32" 16 | }, 17 | "lastObservedTime": { 18 | "description": "MicroTime is version of Time with microsecond level precision.", 19 | "type": [ 20 | "string", 21 | "null" 22 | ], 23 | "format": "date-time" 24 | } 25 | }, 26 | "$schema": "http://json-schema.org/schema#" 27 | } -------------------------------------------------------------------------------- /.schemas/json/eventseries-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "EventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time.", 3 | "type": "object", 4 | "properties": { 5 | "count": { 6 | "description": "Number of occurrences in this series up to the last heartbeat time", 7 | "type": [ 8 | "integer", 9 | "null" 10 | ], 11 | "format": "int32" 12 | }, 13 | "lastObservedTime": { 14 | "description": "MicroTime is version of Time with microsecond level precision.", 15 | "type": [ 16 | "string", 17 | "null" 18 | ], 19 | "format": "date-time" 20 | } 21 | }, 22 | "$schema": "http://json-schema.org/schema#" 23 | } -------------------------------------------------------------------------------- /.schemas/json/eventsource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "EventSource contains information for an event.", 3 | "type": "object", 4 | "properties": { 5 | "component": { 6 | "description": "Component from which the event is generated.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "host": { 13 | "description": "Node name on which the event is generated.", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | } 19 | }, 20 | "$schema": "http://json-schema.org/schema#" 21 | } -------------------------------------------------------------------------------- /.schemas/json/execaction-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ExecAction describes a \"run in container\" action.", 3 | "type": "object", 4 | "properties": { 5 | "command": { 6 | "description": "Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.", 7 | "type": [ 8 | "array", 9 | "null" 10 | ], 11 | "items": { 12 | "type": [ 13 | "string", 14 | "null" 15 | ] 16 | }, 17 | "x-kubernetes-list-type": "atomic" 18 | } 19 | }, 20 | "$schema": "http://json-schema.org/schema#" 21 | } -------------------------------------------------------------------------------- /.schemas/json/expressionwarning-admissionregistration-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ExpressionWarning is a warning information that targets a specific expression.", 3 | "type": "object", 4 | "required": [ 5 | "fieldRef", 6 | "warning" 7 | ], 8 | "properties": { 9 | "fieldRef": { 10 | "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "warning": { 17 | "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/externaldocumentation-apiextensions-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ExternalDocumentation allows referencing an external resource for extended documentation.", 3 | "type": "object", 4 | "properties": { 5 | "description": { 6 | "type": [ 7 | "string", 8 | "null" 9 | ] 10 | }, 11 | "url": { 12 | "type": [ 13 | "string", 14 | "null" 15 | ] 16 | } 17 | }, 18 | "$schema": "http://json-schema.org/schema#" 19 | } -------------------------------------------------------------------------------- /.schemas/json/fieldsv1-meta-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:', where is the name of a field in a struct, or key in a map 'v:', where is the exact json formatted value of a list item 'i:', where is position of a item in a list 'k:', where is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", 3 | "type": "object", 4 | "$schema": "http://json-schema.org/schema#" 5 | } -------------------------------------------------------------------------------- /.schemas/json/flockervolumesource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.", 3 | "type": "object", 4 | "properties": { 5 | "datasetName": { 6 | "description": "datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "datasetUUID": { 13 | "description": "datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | } 19 | }, 20 | "$schema": "http://json-schema.org/schema#" 21 | } -------------------------------------------------------------------------------- /.schemas/json/flowdistinguishermethod-flowcontrol-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", 3 | "type": "object", 4 | "required": [ 5 | "type" 6 | ], 7 | "properties": { 8 | "type": { 9 | "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/flowdistinguishermethod-flowcontrol-v1beta3.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", 3 | "type": "object", 4 | "required": [ 5 | "type" 6 | ], 7 | "properties": { 8 | "type": { 9 | "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/forzone-discovery-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ForZone provides information about which zones should consume this endpoint.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "name represents the name of the zone.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/groupsubject-flowcontrol-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "GroupSubject holds detailed information for group-kind subject.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/groupsubject-flowcontrol-v1beta3.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "GroupSubject holds detailed information for group-kind subject.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/groupversionfordiscovery-meta-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "GroupVersion contains the \"group/version\" and \"version\" string of a version. It is made a struct to keep extensibility.", 3 | "type": "object", 4 | "required": [ 5 | "groupVersion", 6 | "version" 7 | ], 8 | "properties": { 9 | "groupVersion": { 10 | "description": "groupVersion specifies the API group and version in the form \"group/version\"", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "version": { 17 | "description": "version specifies the version in the form of \"version\". This is to save the clients the trouble of splitting the GroupVersion.", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/grpcaction-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "required": [ 4 | "port" 5 | ], 6 | "properties": { 7 | "port": { 8 | "description": "Port number of the gRPC service. Number must be in the range 1 to 65535.", 9 | "type": [ 10 | "integer", 11 | "null" 12 | ], 13 | "format": "int32" 14 | }, 15 | "service": { 16 | "description": "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.", 17 | "type": [ 18 | "string", 19 | "null" 20 | ] 21 | } 22 | }, 23 | "$schema": "http://json-schema.org/schema#" 24 | } -------------------------------------------------------------------------------- /.schemas/json/hostalias-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.", 3 | "type": "object", 4 | "properties": { 5 | "hostnames": { 6 | "description": "Hostnames for the above IP address.", 7 | "type": [ 8 | "array", 9 | "null" 10 | ], 11 | "items": { 12 | "type": [ 13 | "string", 14 | "null" 15 | ] 16 | }, 17 | "x-kubernetes-list-type": "atomic" 18 | }, 19 | "ip": { 20 | "description": "IP address of the host file entry.", 21 | "type": [ 22 | "string", 23 | "null" 24 | ] 25 | } 26 | }, 27 | "$schema": "http://json-schema.org/schema#" 28 | } -------------------------------------------------------------------------------- /.schemas/json/hostip-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "HostIP represents a single IP address allocated to the host.", 3 | "type": "object", 4 | "properties": { 5 | "ip": { 6 | "description": "IP is the IP address assigned to the host", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | } 12 | }, 13 | "$schema": "http://json-schema.org/schema#" 14 | } -------------------------------------------------------------------------------- /.schemas/json/hpascalingpolicy-autoscaling-v2.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "HPAScalingPolicy is a single policy which must hold true for a specified past interval.", 3 | "type": "object", 4 | "required": [ 5 | "type", 6 | "value", 7 | "periodSeconds" 8 | ], 9 | "properties": { 10 | "periodSeconds": { 11 | "description": "periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).", 12 | "type": [ 13 | "integer", 14 | "null" 15 | ], 16 | "format": "int32" 17 | }, 18 | "type": { 19 | "description": "type is used to specify the scaling policy.", 20 | "type": [ 21 | "string", 22 | "null" 23 | ] 24 | }, 25 | "value": { 26 | "description": "value contains the amount of change which is permitted by the policy. It must be greater than zero", 27 | "type": [ 28 | "integer", 29 | "null" 30 | ], 31 | "format": "int32" 32 | } 33 | }, 34 | "$schema": "http://json-schema.org/schema#" 35 | } -------------------------------------------------------------------------------- /.schemas/json/httpheader-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "HTTPHeader describes a custom header to be used in HTTP probes", 3 | "type": "object", 4 | "required": [ 5 | "name", 6 | "value" 7 | ], 8 | "properties": { 9 | "name": { 10 | "description": "The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "value": { 17 | "description": "The header field value", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/intorstring-util-intstr.json: -------------------------------------------------------------------------------- 1 | { 2 | "oneOf": [ 3 | { 4 | "type": "string" 5 | }, 6 | { 7 | "type": "integer" 8 | } 9 | ], 10 | "$schema": "http://json-schema.org/schema#", 11 | "type": "object" 12 | } -------------------------------------------------------------------------------- /.schemas/json/ipblock-networking-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.", 3 | "type": "object", 4 | "required": [ 5 | "cidr" 6 | ], 7 | "properties": { 8 | "cidr": { 9 | "description": "cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "except": { 16 | "description": "except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range", 17 | "type": [ 18 | "array", 19 | "null" 20 | ], 21 | "items": { 22 | "type": [ 23 | "string", 24 | "null" 25 | ] 26 | }, 27 | "x-kubernetes-list-type": "atomic" 28 | } 29 | }, 30 | "$schema": "http://json-schema.org/schema#" 31 | } -------------------------------------------------------------------------------- /.schemas/json/json-apiextensions-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.", 3 | "$schema": "http://json-schema.org/schema#", 4 | "type": "object" 5 | } -------------------------------------------------------------------------------- /.schemas/json/localobjectreference-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.", 3 | "type": "object", 4 | "properties": { 5 | "name": { 6 | "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | } 12 | }, 13 | "x-kubernetes-map-type": "atomic", 14 | "$schema": "http://json-schema.org/schema#" 15 | } -------------------------------------------------------------------------------- /.schemas/json/localvolumesource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Local represents directly-attached storage with node affinity (Beta feature)", 3 | "type": "object", 4 | "required": [ 5 | "path" 6 | ], 7 | "properties": { 8 | "fsType": { 9 | "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "path": { 16 | "description": "path of the full path to the volume on the node. It can be either a directory or block device (disk, partition, ...).", 17 | "type": [ 18 | "string", 19 | "null" 20 | ] 21 | } 22 | }, 23 | "$schema": "http://json-schema.org/schema#" 24 | } -------------------------------------------------------------------------------- /.schemas/json/microtime-meta-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "MicroTime is version of Time with microsecond level precision.", 3 | "type": "string", 4 | "format": "date-time", 5 | "$schema": "http://json-schema.org/schema#" 6 | } -------------------------------------------------------------------------------- /.schemas/json/namespacespec-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "NamespaceSpec describes the attributes on a Namespace.", 3 | "type": "object", 4 | "properties": { 5 | "finalizers": { 6 | "description": "Finalizers is an opaque list of values that must be empty to permanently remove object from storage. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/", 7 | "type": [ 8 | "array", 9 | "null" 10 | ], 11 | "items": { 12 | "type": [ 13 | "string", 14 | "null" 15 | ] 16 | }, 17 | "x-kubernetes-list-type": "atomic" 18 | } 19 | }, 20 | "$schema": "http://json-schema.org/schema#" 21 | } -------------------------------------------------------------------------------- /.schemas/json/nfsvolumesource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.", 3 | "type": "object", 4 | "required": [ 5 | "server", 6 | "path" 7 | ], 8 | "properties": { 9 | "path": { 10 | "description": "path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "readOnly": { 17 | "description": "readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", 18 | "type": [ 19 | "boolean", 20 | "null" 21 | ] 22 | }, 23 | "server": { 24 | "description": "server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", 25 | "type": [ 26 | "string", 27 | "null" 28 | ] 29 | } 30 | }, 31 | "$schema": "http://json-schema.org/schema#" 32 | } -------------------------------------------------------------------------------- /.schemas/json/nodeaddress-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "NodeAddress contains information for the node's address.", 3 | "type": "object", 4 | "required": [ 5 | "type", 6 | "address" 7 | ], 8 | "properties": { 9 | "address": { 10 | "description": "The node address.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "type": { 17 | "description": "Node address type, one of Hostname, ExternalIP or InternalIP.", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/nodedaemonendpoints-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "NodeDaemonEndpoints lists ports opened by daemons running on the Node.", 3 | "type": "object", 4 | "properties": { 5 | "kubeletEndpoint": { 6 | "description": "DaemonEndpoint contains information about a single Daemon endpoint.", 7 | "type": [ 8 | "object", 9 | "null" 10 | ], 11 | "required": [ 12 | "Port" 13 | ], 14 | "properties": { 15 | "Port": { 16 | "description": "Port number of the given endpoint.", 17 | "type": "integer", 18 | "format": "int32" 19 | } 20 | } 21 | } 22 | }, 23 | "$schema": "http://json-schema.org/schema#" 24 | } -------------------------------------------------------------------------------- /.schemas/json/noderuntimehandler-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "NodeRuntimeHandler is a set of runtime handler information.", 3 | "type": "object", 4 | "properties": { 5 | "features": { 6 | "description": "NodeRuntimeHandlerFeatures is a set of runtime features.", 7 | "type": [ 8 | "object", 9 | "null" 10 | ], 11 | "properties": { 12 | "recursiveReadOnlyMounts": { 13 | "description": "RecursiveReadOnlyMounts is set to true if the runtime handler supports RecursiveReadOnlyMounts.", 14 | "type": [ 15 | "boolean", 16 | "null" 17 | ] 18 | } 19 | } 20 | }, 21 | "name": { 22 | "description": "Runtime handler name. Empty for the default runtime handler.", 23 | "type": [ 24 | "string", 25 | "null" 26 | ] 27 | } 28 | }, 29 | "$schema": "http://json-schema.org/schema#" 30 | } -------------------------------------------------------------------------------- /.schemas/json/noderuntimehandlerfeatures-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "NodeRuntimeHandlerFeatures is a set of runtime features.", 3 | "type": "object", 4 | "properties": { 5 | "recursiveReadOnlyMounts": { 6 | "description": "RecursiveReadOnlyMounts is set to true if the runtime handler supports RecursiveReadOnlyMounts.", 7 | "type": [ 8 | "boolean", 9 | "null" 10 | ] 11 | } 12 | }, 13 | "$schema": "http://json-schema.org/schema#" 14 | } -------------------------------------------------------------------------------- /.schemas/json/nonresourceattributes-authorization-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface", 3 | "type": "object", 4 | "properties": { 5 | "path": { 6 | "description": "Path is the URL path of the request", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "verb": { 13 | "description": "Verb is the standard HTTP verb", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | } 19 | }, 20 | "$schema": "http://json-schema.org/schema#" 21 | } -------------------------------------------------------------------------------- /.schemas/json/nonresourcerule-authorization-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "NonResourceRule holds information that describes a rule for the non-resource", 3 | "type": "object", 4 | "required": [ 5 | "verbs" 6 | ], 7 | "properties": { 8 | "nonResourceURLs": { 9 | "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all.", 10 | "type": [ 11 | "array", 12 | "null" 13 | ], 14 | "items": { 15 | "type": [ 16 | "string", 17 | "null" 18 | ] 19 | }, 20 | "x-kubernetes-list-type": "atomic" 21 | }, 22 | "verbs": { 23 | "description": "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.", 24 | "type": [ 25 | "array", 26 | "null" 27 | ], 28 | "items": { 29 | "type": [ 30 | "string", 31 | "null" 32 | ] 33 | }, 34 | "x-kubernetes-list-type": "atomic" 35 | } 36 | }, 37 | "$schema": "http://json-schema.org/schema#" 38 | } -------------------------------------------------------------------------------- /.schemas/json/objectfieldselector-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ObjectFieldSelector selects an APIVersioned field of an object.", 3 | "type": "object", 4 | "required": [ 5 | "fieldPath" 6 | ], 7 | "properties": { 8 | "apiVersion": { 9 | "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "fieldPath": { 16 | "description": "Path of the field to select in the specified API version.", 17 | "type": [ 18 | "string", 19 | "null" 20 | ] 21 | } 22 | }, 23 | "x-kubernetes-map-type": "atomic", 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/overhead-node-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Overhead structure represents the resource overhead associated with running a pod.", 3 | "type": "object", 4 | "properties": { 5 | "podFixed": { 6 | "description": "podFixed represents the fixed resource overhead associated with running a pod.", 7 | "type": [ 8 | "object", 9 | "null" 10 | ], 11 | "additionalProperties": { 12 | "oneOf": [ 13 | { 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | }, 19 | { 20 | "type": [ 21 | "number", 22 | "null" 23 | ] 24 | } 25 | ] 26 | } 27 | } 28 | }, 29 | "$schema": "http://json-schema.org/schema#" 30 | } -------------------------------------------------------------------------------- /.schemas/json/paramkind-admissionregistration-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ParamKind is a tuple of Group Kind and Version.", 3 | "type": "object", 4 | "properties": { 5 | "apiVersion": { 6 | "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "kind": { 13 | "description": "Kind is the API kind the resources belong to. Required.", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | } 19 | }, 20 | "x-kubernetes-map-type": "atomic", 21 | "$schema": "http://json-schema.org/schema#" 22 | } -------------------------------------------------------------------------------- /.schemas/json/patch-meta-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.", 3 | "type": "object", 4 | "$schema": "http://json-schema.org/schema#" 5 | } -------------------------------------------------------------------------------- /.schemas/json/persistentvolumeclaimvolumesource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).", 3 | "type": "object", 4 | "required": [ 5 | "claimName" 6 | ], 7 | "properties": { 8 | "claimName": { 9 | "description": "claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "readOnly": { 16 | "description": "readOnly Will force the ReadOnly setting in VolumeMounts. Default false.", 17 | "type": [ 18 | "boolean", 19 | "null" 20 | ] 21 | } 22 | }, 23 | "$schema": "http://json-schema.org/schema#" 24 | } -------------------------------------------------------------------------------- /.schemas/json/photonpersistentdiskvolumesource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Represents a Photon Controller persistent disk resource.", 3 | "type": "object", 4 | "required": [ 5 | "pdID" 6 | ], 7 | "properties": { 8 | "fsType": { 9 | "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "pdID": { 16 | "description": "pdID is the ID that identifies Photon Controller persistent disk", 17 | "type": [ 18 | "string", 19 | "null" 20 | ] 21 | } 22 | }, 23 | "$schema": "http://json-schema.org/schema#" 24 | } -------------------------------------------------------------------------------- /.schemas/json/poddnsconfigoption-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PodDNSConfigOption defines DNS resolver options of a pod.", 3 | "type": "object", 4 | "properties": { 5 | "name": { 6 | "description": "Required.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "value": { 13 | "type": [ 14 | "string", 15 | "null" 16 | ] 17 | } 18 | }, 19 | "$schema": "http://json-schema.org/schema#" 20 | } -------------------------------------------------------------------------------- /.schemas/json/podfailurepolicyonpodconditionspattern-batch-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PodFailurePolicyOnPodConditionsPattern describes a pattern for matching an actual pod condition type.", 3 | "type": "object", 4 | "required": [ 5 | "type", 6 | "status" 7 | ], 8 | "properties": { 9 | "status": { 10 | "description": "Specifies the required Pod condition status. To match a pod condition it is required that the specified status equals the pod condition status. Defaults to True.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "type": { 17 | "description": "Specifies the required Pod condition type. To match a pod condition it is required that specified type equals the pod condition type.", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/podip-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PodIP represents a single IP address allocated to the pod.", 3 | "type": "object", 4 | "properties": { 5 | "ip": { 6 | "description": "IP is the IP address assigned to the pod", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | } 12 | }, 13 | "$schema": "http://json-schema.org/schema#" 14 | } -------------------------------------------------------------------------------- /.schemas/json/podos-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PodOS defines the OS parameters of a pod.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "Name is the name of the operating system. The currently supported values are linux and windows. Additional value may be defined in future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration Clients should expect to handle additional values and treat unrecognized values in this field as os: null", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/podreadinessgate-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PodReadinessGate contains the reference to a pod condition", 3 | "type": "object", 4 | "required": [ 5 | "conditionType" 6 | ], 7 | "properties": { 8 | "conditionType": { 9 | "description": "ConditionType refers to a condition in the pod's condition list with matching type.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/podresourceclaimstatus-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PodResourceClaimStatus is stored in the PodStatus for each PodResourceClaim which references a ResourceClaimTemplate. It stores the generated name for the corresponding ResourceClaim.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "Name uniquely identifies this resource claim inside the pod. This must match the name of an entry in pod.spec.resourceClaims, which implies that the string must be a DNS_LABEL.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "resourceClaimName": { 16 | "description": "ResourceClaimName is the name of the ResourceClaim that was generated for the Pod in the namespace of the Pod. It this is unset, then generating a ResourceClaim was not necessary. The pod.spec.resourceClaims entry can be ignored in this case.", 17 | "type": [ 18 | "string", 19 | "null" 20 | ] 21 | } 22 | }, 23 | "$schema": "http://json-schema.org/schema#" 24 | } -------------------------------------------------------------------------------- /.schemas/json/podschedulinggate-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PodSchedulingGate is associated to a Pod to guard its scheduling.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "Name of the scheduling gate. Each scheduling gate must have a unique name field.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/portworxvolumesource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PortworxVolumeSource represents a Portworx volume resource.", 3 | "type": "object", 4 | "required": [ 5 | "volumeID" 6 | ], 7 | "properties": { 8 | "fsType": { 9 | "description": "fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "readOnly": { 16 | "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", 17 | "type": [ 18 | "boolean", 19 | "null" 20 | ] 21 | }, 22 | "volumeID": { 23 | "description": "volumeID uniquely identifies a Portworx volume", 24 | "type": [ 25 | "string", 26 | "null" 27 | ] 28 | } 29 | }, 30 | "$schema": "http://json-schema.org/schema#" 31 | } -------------------------------------------------------------------------------- /.schemas/json/preconditions-meta-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.", 3 | "type": "object", 4 | "properties": { 5 | "resourceVersion": { 6 | "description": "Specifies the target ResourceVersion", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "uid": { 13 | "description": "Specifies the target UID.", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | } 19 | }, 20 | "$schema": "http://json-schema.org/schema#" 21 | } -------------------------------------------------------------------------------- /.schemas/json/prioritylevelconfigurationreference-flowcontrol-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "`name` is the name of the priority level configuration being referenced Required.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/prioritylevelconfigurationreference-flowcontrol-v1beta3.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "`name` is the name of the priority level configuration being referenced Required.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/quantity-resource.json: -------------------------------------------------------------------------------- 1 | { 2 | "oneOf": [ 3 | { 4 | "type": "string" 5 | }, 6 | { 7 | "type": "number" 8 | } 9 | ], 10 | "$schema": "http://json-schema.org/schema#", 11 | "type": "object" 12 | } -------------------------------------------------------------------------------- /.schemas/json/resourceclaim-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/resourcefieldselector-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ResourceFieldSelector represents container resources (cpu, memory) and their output format", 3 | "type": "object", 4 | "required": [ 5 | "resource" 6 | ], 7 | "properties": { 8 | "containerName": { 9 | "description": "Container name: required for volumes, optional for env vars", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "divisor": { 16 | "oneOf": [ 17 | { 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | }, 23 | { 24 | "type": [ 25 | "number", 26 | "null" 27 | ] 28 | } 29 | ] 30 | }, 31 | "resource": { 32 | "description": "Required: resource to select", 33 | "type": [ 34 | "string", 35 | "null" 36 | ] 37 | } 38 | }, 39 | "x-kubernetes-map-type": "atomic", 40 | "$schema": "http://json-schema.org/schema#" 41 | } -------------------------------------------------------------------------------- /.schemas/json/roleref-rbac-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "RoleRef contains information that points to the role being used", 3 | "type": "object", 4 | "required": [ 5 | "apiGroup", 6 | "kind", 7 | "name" 8 | ], 9 | "properties": { 10 | "apiGroup": { 11 | "description": "APIGroup is the group for the resource being referenced", 12 | "type": [ 13 | "string", 14 | "null" 15 | ] 16 | }, 17 | "kind": { 18 | "description": "Kind is the type of resource being referenced", 19 | "type": [ 20 | "string", 21 | "null" 22 | ] 23 | }, 24 | "name": { 25 | "description": "Name is the name of resource being referenced", 26 | "type": [ 27 | "string", 28 | "null" 29 | ] 30 | } 31 | }, 32 | "x-kubernetes-map-type": "atomic", 33 | "$schema": "http://json-schema.org/schema#" 34 | } -------------------------------------------------------------------------------- /.schemas/json/rollingupdatedaemonset-apps-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Spec to control the desired behavior of daemon set rolling update.", 3 | "type": "object", 4 | "properties": { 5 | "maxSurge": { 6 | "oneOf": [ 7 | { 8 | "type": [ 9 | "string", 10 | "null" 11 | ] 12 | }, 13 | { 14 | "type": [ 15 | "integer", 16 | "null" 17 | ] 18 | } 19 | ] 20 | }, 21 | "maxUnavailable": { 22 | "oneOf": [ 23 | { 24 | "type": [ 25 | "string", 26 | "null" 27 | ] 28 | }, 29 | { 30 | "type": [ 31 | "integer", 32 | "null" 33 | ] 34 | } 35 | ] 36 | } 37 | }, 38 | "$schema": "http://json-schema.org/schema#" 39 | } -------------------------------------------------------------------------------- /.schemas/json/rollingupdatedeployment-apps-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Spec to control the desired behavior of rolling update.", 3 | "type": "object", 4 | "properties": { 5 | "maxSurge": { 6 | "oneOf": [ 7 | { 8 | "type": [ 9 | "string", 10 | "null" 11 | ] 12 | }, 13 | { 14 | "type": [ 15 | "integer", 16 | "null" 17 | ] 18 | } 19 | ] 20 | }, 21 | "maxUnavailable": { 22 | "oneOf": [ 23 | { 24 | "type": [ 25 | "string", 26 | "null" 27 | ] 28 | }, 29 | { 30 | "type": [ 31 | "integer", 32 | "null" 33 | ] 34 | } 35 | ] 36 | } 37 | }, 38 | "$schema": "http://json-schema.org/schema#" 39 | } -------------------------------------------------------------------------------- /.schemas/json/rollingupdatestatefulsetstrategy-apps-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.", 3 | "type": "object", 4 | "properties": { 5 | "maxUnavailable": { 6 | "oneOf": [ 7 | { 8 | "type": [ 9 | "string", 10 | "null" 11 | ] 12 | }, 13 | { 14 | "type": [ 15 | "integer", 16 | "null" 17 | ] 18 | } 19 | ] 20 | }, 21 | "partition": { 22 | "description": "Partition indicates the ordinal at which the StatefulSet should be partitioned for updates. During a rolling update, all pods from ordinal Replicas-1 to Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. This is helpful in being able to do a canary based deployment. The default value is 0.", 23 | "type": [ 24 | "integer", 25 | "null" 26 | ], 27 | "format": "int32" 28 | } 29 | }, 30 | "$schema": "http://json-schema.org/schema#" 31 | } -------------------------------------------------------------------------------- /.schemas/json/scalespec-autoscaling-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ScaleSpec describes the attributes of a scale subresource.", 3 | "type": "object", 4 | "properties": { 5 | "replicas": { 6 | "description": "replicas is the desired number of instances for the scaled object.", 7 | "type": [ 8 | "integer", 9 | "null" 10 | ], 11 | "format": "int32" 12 | } 13 | }, 14 | "$schema": "http://json-schema.org/schema#" 15 | } -------------------------------------------------------------------------------- /.schemas/json/scalestatus-autoscaling-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ScaleStatus represents the current status of a scale subresource.", 3 | "type": "object", 4 | "required": [ 5 | "replicas" 6 | ], 7 | "properties": { 8 | "replicas": { 9 | "description": "replicas is the actual number of observed instances of the scaled object.", 10 | "type": [ 11 | "integer", 12 | "null" 13 | ], 14 | "format": "int32" 15 | }, 16 | "selector": { 17 | "description": "selector is the label query over pods that should match the replicas count. This is same as the label selector but in the string format to avoid introspection by clients. The string will be in the same format as the query-param syntax. More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/secretenvsource-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "SecretEnvSource selects a Secret to populate the environment variables with.\n\nThe contents of the target Secret's Data field will represent the key-value pairs as environment variables.", 3 | "type": "object", 4 | "properties": { 5 | "name": { 6 | "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "optional": { 13 | "description": "Specify whether the Secret must be defined", 14 | "type": [ 15 | "boolean", 16 | "null" 17 | ] 18 | } 19 | }, 20 | "$schema": "http://json-schema.org/schema#" 21 | } -------------------------------------------------------------------------------- /.schemas/json/secretkeyselector-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "SecretKeySelector selects a key of a Secret.", 3 | "type": "object", 4 | "required": [ 5 | "key" 6 | ], 7 | "properties": { 8 | "key": { 9 | "description": "The key of the secret to select from. Must be a valid secret key.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "name": { 16 | "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", 17 | "type": [ 18 | "string", 19 | "null" 20 | ] 21 | }, 22 | "optional": { 23 | "description": "Specify whether the Secret or its key must be defined", 24 | "type": [ 25 | "boolean", 26 | "null" 27 | ] 28 | } 29 | }, 30 | "x-kubernetes-map-type": "atomic", 31 | "$schema": "http://json-schema.org/schema#" 32 | } -------------------------------------------------------------------------------- /.schemas/json/secretreference-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", 3 | "type": "object", 4 | "properties": { 5 | "name": { 6 | "description": "name is unique within a namespace to reference a secret resource.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "namespace": { 13 | "description": "namespace defines the space within which the secret name must be unique.", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | } 19 | }, 20 | "x-kubernetes-map-type": "atomic", 21 | "$schema": "http://json-schema.org/schema#" 22 | } -------------------------------------------------------------------------------- /.schemas/json/selectablefield-apiextensions-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "SelectableField specifies the JSON path of a field that may be used with field selectors.", 3 | "type": "object", 4 | "required": [ 5 | "jsonPath" 6 | ], 7 | "properties": { 8 | "jsonPath": { 9 | "description": "jsonPath is a simple JSON path which is evaluated against each custom resource to produce a field selector value. Only JSON paths without the array notation are allowed. Must point to a field of type string, boolean or integer. Types with enum values and strings with formats are allowed. If jsonPath refers to absent field in a resource, the jsonPath evaluates to an empty string. Must not point to metdata fields. Required.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/selfsubjectrulesreviewspec-authorization-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.", 3 | "type": "object", 4 | "properties": { 5 | "namespace": { 6 | "description": "Namespace to evaluate rules for. Required.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | } 12 | }, 13 | "$schema": "http://json-schema.org/schema#" 14 | } -------------------------------------------------------------------------------- /.schemas/json/selinuxoptions-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "SELinuxOptions are the labels to be applied to the container", 3 | "type": "object", 4 | "properties": { 5 | "level": { 6 | "description": "Level is SELinux level label that applies to the container.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "role": { 13 | "description": "Role is a SELinux role label that applies to the container.", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | }, 19 | "type": { 20 | "description": "Type is a SELinux type label that applies to the container.", 21 | "type": [ 22 | "string", 23 | "null" 24 | ] 25 | }, 26 | "user": { 27 | "description": "User is a SELinux user label that applies to the container.", 28 | "type": [ 29 | "string", 30 | "null" 31 | ] 32 | } 33 | }, 34 | "$schema": "http://json-schema.org/schema#" 35 | } -------------------------------------------------------------------------------- /.schemas/json/serveraddressbyclientcidr-meta-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.", 3 | "type": "object", 4 | "required": [ 5 | "clientCIDR", 6 | "serverAddress" 7 | ], 8 | "properties": { 9 | "clientCIDR": { 10 | "description": "The CIDR with which clients can match their IP to figure out the server address that they should use.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "serverAddress": { 17 | "description": "Address of this server, suitable for a client that matches the above CIDR. This can be a hostname, hostname:port, IP or IP:port.", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/serviceaccountsubject-flowcontrol-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", 3 | "type": "object", 4 | "required": [ 5 | "namespace", 6 | "name" 7 | ], 8 | "properties": { 9 | "name": { 10 | "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "namespace": { 17 | "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/serviceaccountsubject-flowcontrol-v1beta3.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", 3 | "type": "object", 4 | "required": [ 5 | "namespace", 6 | "name" 7 | ], 8 | "properties": { 9 | "name": { 10 | "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "namespace": { 17 | "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/servicebackendport-networking-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ServiceBackendPort is the service port being referenced.", 3 | "type": "object", 4 | "properties": { 5 | "name": { 6 | "description": "name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "number": { 13 | "description": "number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".", 14 | "type": [ 15 | "integer", 16 | "null" 17 | ], 18 | "format": "int32" 19 | } 20 | }, 21 | "$schema": "http://json-schema.org/schema#" 22 | } -------------------------------------------------------------------------------- /.schemas/json/servicereference-apiextensions-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ServiceReference holds a reference to Service.legacy.k8s.io", 3 | "type": "object", 4 | "required": [ 5 | "namespace", 6 | "name" 7 | ], 8 | "properties": { 9 | "name": { 10 | "description": "name is the name of the service. Required", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "namespace": { 17 | "description": "namespace is the namespace of the service. Required", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | }, 23 | "path": { 24 | "description": "path is an optional URL path at which the webhook will be contacted.", 25 | "type": [ 26 | "string", 27 | "null" 28 | ] 29 | }, 30 | "port": { 31 | "description": "port is an optional service port at which the webhook will be contacted. `port` should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility.", 32 | "type": [ 33 | "integer", 34 | "null" 35 | ], 36 | "format": "int32" 37 | } 38 | }, 39 | "$schema": "http://json-schema.org/schema#" 40 | } -------------------------------------------------------------------------------- /.schemas/json/servicereference-apiregistration-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "ServiceReference holds a reference to Service.legacy.k8s.io", 3 | "type": "object", 4 | "properties": { 5 | "name": { 6 | "description": "Name is the name of the service", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "namespace": { 13 | "description": "Namespace is the namespace of the service", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | }, 19 | "port": { 20 | "description": "If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).", 21 | "type": [ 22 | "integer", 23 | "null" 24 | ], 25 | "format": "int32" 26 | } 27 | }, 28 | "$schema": "http://json-schema.org/schema#" 29 | } -------------------------------------------------------------------------------- /.schemas/json/sessionaffinityconfig-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "SessionAffinityConfig represents the configurations of session affinity.", 3 | "type": "object", 4 | "properties": { 5 | "clientIP": { 6 | "description": "ClientIPConfig represents the configurations of Client IP based session affinity.", 7 | "type": [ 8 | "object", 9 | "null" 10 | ], 11 | "properties": { 12 | "timeoutSeconds": { 13 | "description": "timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be >0 && <=86400(for 1 day) if ServiceAffinity == \"ClientIP\". Default value is 10800(for 3 hours).", 14 | "type": [ 15 | "integer", 16 | "null" 17 | ], 18 | "format": "int32" 19 | } 20 | } 21 | } 22 | }, 23 | "$schema": "http://json-schema.org/schema#" 24 | } -------------------------------------------------------------------------------- /.schemas/json/sleepaction-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "SleepAction describes a \"sleep\" action.", 3 | "type": "object", 4 | "required": [ 5 | "seconds" 6 | ], 7 | "properties": { 8 | "seconds": { 9 | "description": "Seconds is the number of seconds to sleep.", 10 | "type": [ 11 | "integer", 12 | "null" 13 | ], 14 | "format": "int64" 15 | } 16 | }, 17 | "$schema": "http://json-schema.org/schema#" 18 | } -------------------------------------------------------------------------------- /.schemas/json/statefulsetordinals-apps-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "StatefulSetOrdinals describes the policy used for replica ordinal assignment in this StatefulSet.", 3 | "type": "object", 4 | "properties": { 5 | "start": { 6 | "description": "start is the number representing the first replica's index. It may be used to number replicas from an alternate index (eg: 1-indexed) over the default 0-indexed names, or to orchestrate progressive movement of replicas from one StatefulSet to another. If set, replica indices will be in the range:\n [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).\nIf unset, defaults to 0. Replica indices will be in the range:\n [0, .spec.replicas).", 7 | "type": [ 8 | "integer", 9 | "null" 10 | ], 11 | "format": "int32" 12 | } 13 | }, 14 | "$schema": "http://json-schema.org/schema#" 15 | } -------------------------------------------------------------------------------- /.schemas/json/statefulsetpersistentvolumeclaimretentionpolicy-apps-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from the StatefulSet VolumeClaimTemplates.", 3 | "type": "object", 4 | "properties": { 5 | "whenDeleted": { 6 | "description": "WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted. The default policy of `Retain` causes PVCs to not be affected by StatefulSet deletion. The `Delete` policy causes those PVCs to be deleted.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "whenScaled": { 13 | "description": "WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. The default policy of `Retain` causes PVCs to not be affected by a scaledown. The `Delete` policy causes the associated PVCs for any excess pods above the replica count to be deleted.", 14 | "type": [ 15 | "string", 16 | "null" 17 | ] 18 | } 19 | }, 20 | "$schema": "http://json-schema.org/schema#" 21 | } -------------------------------------------------------------------------------- /.schemas/json/sysctl-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Sysctl defines a kernel parameter to be set", 3 | "type": "object", 4 | "required": [ 5 | "name", 6 | "value" 7 | ], 8 | "properties": { 9 | "name": { 10 | "description": "Name of a property to set", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "value": { 17 | "description": "Value of a property to set", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/tcpsocketaction-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "TCPSocketAction describes an action based on opening a socket", 3 | "type": "object", 4 | "required": [ 5 | "port" 6 | ], 7 | "properties": { 8 | "host": { 9 | "description": "Optional: Host name to connect to, defaults to the pod IP.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "port": { 16 | "oneOf": [ 17 | { 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | }, 23 | { 24 | "type": [ 25 | "integer", 26 | "null" 27 | ] 28 | } 29 | ] 30 | } 31 | }, 32 | "$schema": "http://json-schema.org/schema#" 33 | } -------------------------------------------------------------------------------- /.schemas/json/time-meta-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", 3 | "type": "string", 4 | "format": "date-time", 5 | "$schema": "http://json-schema.org/schema#" 6 | } -------------------------------------------------------------------------------- /.schemas/json/tokenrequest-storage-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "TokenRequest contains parameters of a service account token.", 3 | "type": "object", 4 | "required": [ 5 | "audience" 6 | ], 7 | "properties": { 8 | "audience": { 9 | "description": "audience is the intended audience of the token in \"TokenRequestSpec\". It will default to the audiences of kube apiserver.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | }, 15 | "expirationSeconds": { 16 | "description": "expirationSeconds is the duration of validity of the token in \"TokenRequestSpec\". It has the same default value of \"ExpirationSeconds\" in \"TokenRequestSpec\".", 17 | "type": [ 18 | "integer", 19 | "null" 20 | ], 21 | "format": "int64" 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/tokenrequeststatus-authentication-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "TokenRequestStatus is the result of a token request.", 3 | "type": "object", 4 | "required": [ 5 | "token", 6 | "expirationTimestamp" 7 | ], 8 | "properties": { 9 | "expirationTimestamp": { 10 | "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ], 15 | "format": "date-time" 16 | }, 17 | "token": { 18 | "description": "Token is the opaque bearer token.", 19 | "type": [ 20 | "string", 21 | "null" 22 | ] 23 | } 24 | }, 25 | "$schema": "http://json-schema.org/schema#" 26 | } -------------------------------------------------------------------------------- /.schemas/json/tokenreviewspec-authentication-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "TokenReviewSpec is a description of the token authentication request.", 3 | "type": "object", 4 | "properties": { 5 | "audiences": { 6 | "description": "Audiences is a list of the identifiers that the resource server presented with the token identifies as. Audience-aware token authenticators will verify that the token was intended for at least one of the audiences in this list. If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver.", 7 | "type": [ 8 | "array", 9 | "null" 10 | ], 11 | "items": { 12 | "type": [ 13 | "string", 14 | "null" 15 | ] 16 | }, 17 | "x-kubernetes-list-type": "atomic" 18 | }, 19 | "token": { 20 | "description": "Token is the opaque bearer token.", 21 | "type": [ 22 | "string", 23 | "null" 24 | ] 25 | } 26 | }, 27 | "$schema": "http://json-schema.org/schema#" 28 | } -------------------------------------------------------------------------------- /.schemas/json/topologyselectorlabelrequirement-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "A topology selector requirement is a selector that matches given label. This is an alpha feature and may change in the future.", 3 | "type": "object", 4 | "required": [ 5 | "key", 6 | "values" 7 | ], 8 | "properties": { 9 | "key": { 10 | "description": "The label key that the selector applies to.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "values": { 17 | "description": "An array of string values. One value must match the label to be selected. Each entry in Values is ORed.", 18 | "type": [ 19 | "array", 20 | "null" 21 | ], 22 | "items": { 23 | "type": [ 24 | "string", 25 | "null" 26 | ] 27 | }, 28 | "x-kubernetes-list-type": "atomic" 29 | } 30 | }, 31 | "$schema": "http://json-schema.org/schema#" 32 | } -------------------------------------------------------------------------------- /.schemas/json/typedlocalobjectreference-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace.", 3 | "type": "object", 4 | "required": [ 5 | "kind", 6 | "name" 7 | ], 8 | "properties": { 9 | "apiGroup": { 10 | "description": "APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "kind": { 17 | "description": "Kind is the type of resource being referenced", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | }, 23 | "name": { 24 | "description": "Name is the name of resource being referenced", 25 | "type": [ 26 | "string", 27 | "null" 28 | ] 29 | } 30 | }, 31 | "x-kubernetes-map-type": "atomic", 32 | "$schema": "http://json-schema.org/schema#" 33 | } -------------------------------------------------------------------------------- /.schemas/json/uncountedterminatedpods-batch-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't been accounted in Job status counters.", 3 | "type": "object", 4 | "properties": { 5 | "failed": { 6 | "description": "failed holds UIDs of failed Pods.", 7 | "type": [ 8 | "array", 9 | "null" 10 | ], 11 | "items": { 12 | "type": [ 13 | "string", 14 | "null" 15 | ] 16 | }, 17 | "x-kubernetes-list-type": "set" 18 | }, 19 | "succeeded": { 20 | "description": "succeeded holds UIDs of succeeded Pods.", 21 | "type": [ 22 | "array", 23 | "null" 24 | ], 25 | "items": { 26 | "type": [ 27 | "string", 28 | "null" 29 | ] 30 | }, 31 | "x-kubernetes-list-type": "set" 32 | } 33 | }, 34 | "$schema": "http://json-schema.org/schema#" 35 | } -------------------------------------------------------------------------------- /.schemas/json/usersubject-flowcontrol-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "UserSubject holds detailed information for user-kind subject.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/usersubject-flowcontrol-v1beta3.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "UserSubject holds detailed information for user-kind subject.", 3 | "type": "object", 4 | "required": [ 5 | "name" 6 | ], 7 | "properties": { 8 | "name": { 9 | "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", 10 | "type": [ 11 | "string", 12 | "null" 13 | ] 14 | } 15 | }, 16 | "$schema": "http://json-schema.org/schema#" 17 | } -------------------------------------------------------------------------------- /.schemas/json/variable-admissionregistration-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.", 3 | "type": "object", 4 | "required": [ 5 | "name", 6 | "expression" 7 | ], 8 | "properties": { 9 | "expression": { 10 | "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "name": { 17 | "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "x-kubernetes-map-type": "atomic", 25 | "$schema": "http://json-schema.org/schema#" 26 | } -------------------------------------------------------------------------------- /.schemas/json/volumedevice-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "volumeDevice describes a mapping of a raw block device within a container.", 3 | "type": "object", 4 | "required": [ 5 | "name", 6 | "devicePath" 7 | ], 8 | "properties": { 9 | "devicePath": { 10 | "description": "devicePath is the path inside of the container that the device will be mapped to.", 11 | "type": [ 12 | "string", 13 | "null" 14 | ] 15 | }, 16 | "name": { 17 | "description": "name must match the name of a persistentVolumeClaim in the pod", 18 | "type": [ 19 | "string", 20 | "null" 21 | ] 22 | } 23 | }, 24 | "$schema": "http://json-schema.org/schema#" 25 | } -------------------------------------------------------------------------------- /.schemas/json/volumeerror-storage-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "VolumeError captures an error encountered during a volume operation.", 3 | "type": "object", 4 | "properties": { 5 | "message": { 6 | "description": "message represents the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.", 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | }, 12 | "time": { 13 | "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", 14 | "type": [ 15 | "string", 16 | "null" 17 | ], 18 | "format": "date-time" 19 | } 20 | }, 21 | "$schema": "http://json-schema.org/schema#" 22 | } -------------------------------------------------------------------------------- /.schemas/json/volumenoderesources-storage-v1.json: -------------------------------------------------------------------------------- 1 | { 2 | "description": "VolumeNodeResources is a set of resource limits for scheduling of volumes.", 3 | "type": "object", 4 | "properties": { 5 | "count": { 6 | "description": "count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.", 7 | "type": [ 8 | "integer", 9 | "null" 10 | ], 11 | "format": "int32" 12 | } 13 | }, 14 | "$schema": "http://json-schema.org/schema#" 15 | } -------------------------------------------------------------------------------- /.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "0.2.0", 3 | "configurations": [ 4 | { 5 | "name": "API", 6 | "type": "go", 7 | "request": "launch", 8 | "mode": "auto", 9 | "program": "${workspaceFolder}", 10 | "args": [ 11 | "serve" 12 | ] 13 | }, 14 | { 15 | "name": "CLI", 16 | "type": "go", 17 | "request": "launch", 18 | "mode": "auto", 19 | "program": "${workspaceFolder}/cmd/cli", 20 | "args": [ 21 | "scan", 22 | "--policy", 23 | "/tmp/kube-policy.yaml", 24 | "--payload", 25 | "/tmp/pod.json" 26 | ], 27 | }, 28 | ] 29 | } -------------------------------------------------------------------------------- /catalog/dockerfile/dockerfile-deny-expose-22.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: dockerfile-deny-expose-port-22 5 | labels: 6 | dockerfile.tags.kyverno.io: 'dockerfile' 7 | annotations: 8 | title.policy.kyverno.io: Dockerfile expose port 22 not allowed 9 | description.policy.kyverno.io: This Policy ensures that port 22 is not exposed in Dockerfile. 10 | spec: 11 | rules: 12 | - name: check-port-exposure 13 | assert: 14 | all: 15 | - message: "Port 22 exposure is not allowed" 16 | check: 17 | ~.(Stages[].Commands[?Name=='EXPOSE'][]): 18 | (contains(Ports, '22') || contains(Ports, '22/TCP')): false -------------------------------------------------------------------------------- /catalog/dockerfile/dockerfile-deny-latest-image.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: dockerfile-deny-latest-image-tag 5 | labels: 6 | dockerfile.tags.kyverno.io: 'dockerfile' 7 | annotations: 8 | title.policy.kyverno.io: Dockerfile latest image tag not allowed 9 | description.policy.kyverno.io: This Policy ensures that no image uses the latest tag in Dockerfile. 10 | spec: 11 | rules: 12 | - name: check-latest-tag 13 | assert: 14 | all: 15 | - message: "Latest tag is not allowed" 16 | check: 17 | ~.(Stages[].From.Image): 18 | (contains(@, ':latest')): false -------------------------------------------------------------------------------- /catalog/dockerfile/dockerfile-disallow-apt.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: dockerfile-disallow-apt 5 | labels: 6 | dockerfile.tags.kyverno.io: 'dockerfile' 7 | annotations: 8 | title.policy.kyverno.io: Ensure apt is not used in Dockerfile 9 | description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred. 10 | spec: 11 | rules: 12 | - name: dockerfile-disallow-apt 13 | assert: 14 | any: 15 | - message: "apt not allowed" 16 | check: 17 | ~.(Stages[].Commands[].CmdLine[]): 18 | (contains(@, 'apt ')) : false 19 | -------------------------------------------------------------------------------- /catalog/dockerfile/dockerfile-disallow-last-user-root.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: dockerfile-disallow-last-user-root 5 | labels: 6 | dockerfile.tags.kyverno.io: 'dockerfile' 7 | annotations: 8 | title.policy.kyverno.io: Dockerfile last user is not allowed to be root 9 | description.policy.kyverno.io: This Policy ensures that last user in Dockerfile is not root. 10 | spec: 11 | rules: 12 | - name: check-disallow-last-user-root 13 | assert: 14 | all: 15 | - message: "Last user root not allowed" 16 | check: 17 | ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false -------------------------------------------------------------------------------- /catalog/dockerfile/dockerfile-disallow-sudo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: dockerfile-disallow-sudo 5 | labels: 6 | dockerfile.tags.kyverno.io: 'dockerfile' 7 | annotations: 8 | title.policy.kyverno.io: Ensure sudo is not used in Dockerfile 9 | description.policy.kyverno.io: This Policy ensures that sudo isn’t used. 10 | spec: 11 | rules: 12 | - name: dockerfile-disallow-sudo 13 | assert: 14 | all: 15 | - message: "sudo not allowed" 16 | check: 17 | ~.(Stages[].Commands[].CmdLine[]): 18 | (contains(@, 'sudo')) : false -------------------------------------------------------------------------------- /catalog/ecs/ecs-cluster-enable-logging.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: ecs-cluster-enable-logging 5 | labels: 6 | ecs.aws.tags.kyverno.io: 'ecs-cluster' 7 | annotations: 8 | title.policy.kyverno.io: ECS cluster enable logging 9 | description.policy.kyverno.io: This Policy ensures that ECS clusters have logging enabled. 10 | spec: 11 | rules: 12 | - name: ecs-cluster-enable-logging 13 | match: 14 | any: 15 | - type: aws_ecs_cluster 16 | context: 17 | - name: forbidden_values 18 | variable: ["NONE"] 19 | assert: 20 | all: 21 | - message: "ECS Cluster should enable logging of ECS Exec" 22 | check: 23 | values: 24 | ~.configuration: 25 | ~.execute_command_configuration: 26 | (contains($forbidden_values, @.logging)): false 27 | -------------------------------------------------------------------------------- /catalog/ecs/ecs-cluster-required-container-insights.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: required-container-insights 5 | labels: 6 | ecs.aws.tags.kyverno.io: 'ecs-cluster' 7 | annotations: 8 | title.policy.kyverno.io: ECS requires container insights 9 | description.policy.kyverno.io: This Policy ensures that ECS clusters have container insights enabled. 10 | spec: 11 | rules: 12 | - name: required-container-insights 13 | match: 14 | any: 15 | - type: aws_ecs_cluster 16 | assert: 17 | all: 18 | - message: "Container insights should be enabled on ECS cluster" 19 | check: 20 | values: 21 | ~.setting: 22 | name: containerInsights 23 | value: enabled 24 | 25 | 26 | -------------------------------------------------------------------------------- /catalog/ecs/ecs-service-public-ip.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: ecs-public-ip 5 | labels: 6 | ecs.aws.tags.kyverno.io: 'ecs-service' 7 | annotations: 8 | title.policy.kyverno.io: ECS public IP 9 | description.policy.kyverno.io: This Policy ensures that ECS services do not have public IP addresses assigned to them automatically. 10 | spec: 11 | rules: 12 | - name: ecs-public-ip 13 | match: 14 | any: 15 | - type: aws_ecs_service 16 | context: 17 | - name: allowed-values 18 | variable: [false] 19 | assert: 20 | all: 21 | - message: "ECS services should not have public IP addresses assigned to them automatically" 22 | check: 23 | values: 24 | ~.network_configuration: 25 | (contains('$allowed-values', @.assign_public_ip)): false -------------------------------------------------------------------------------- /catalog/ecs/ecs-service-required-latest-platform-fargate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: required-latest-platform-fargate 5 | labels: 6 | ecs.aws.tags.kyverno.io: 'ecs-service' 7 | annotations: 8 | title.policy.kyverno.io: ECS require latest platform fargate 9 | description.policy.kyverno.io: This Policy ensures that ECS Fargate services runs on the latest Fargate platform version. 10 | spec: 11 | rules: 12 | - name: required-latest-platform 13 | match: 14 | any: 15 | - type: aws_ecs_service 16 | values: 17 | launch_type: FARGATE 18 | context: 19 | - name: pv 20 | variable: platform_version 21 | assert: 22 | all: 23 | - message: "ECS Fargate services should run on the latest Fargate platform version" 24 | check: 25 | values: 26 | platform_version: 'LATEST' -------------------------------------------------------------------------------- /catalog/ecs/ecs-task-definition-fs-read-only.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: fs-read-only 5 | labels: 6 | ecs.aws.tags.kyverno.io: 'ecs-task-definition' 7 | annotations: 8 | title.policy.kyverno.io: ECS require filesystem read only 9 | description.policy.kyverno.io: This Policy ensures that ECS Fargate services runs on the latest Fargate platform version. 10 | spec: 11 | rules: 12 | - name: require-fs-read-only 13 | match: 14 | any: 15 | - type: aws_ecs_task_definition 16 | assert: 17 | any: 18 | - message: ECS containers should only have read-only access to root filesystems 19 | check: 20 | values: 21 | ~.(json_parse(container_definitions)): 22 | readonlyRootFilesystem: true 23 | 24 | -------------------------------------------------------------------------------- /catalog/ecs/policy-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: 6 | rules: 7 | - name: foo-bar 8 | assert: 9 | all: 10 | - check: 11 | foo: 12 | /(bar)/: 10 13 | -------------------------------------------------------------------------------- /charts/kyverno-json/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/kyverno-json/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kyverno-json 3 | type: application 4 | version: 0.1.0 5 | appVersion: v0.1.0 6 | icon: https://github.com/kyverno/kyverno-json/blob/main/website/docs/static/kyverno-json-logo.png 7 | description: Kyverno for JSON 8 | keywords: 9 | - kubernetes 10 | - policy agent 11 | sources: 12 | - https://github.com/kyverno/kyverno-json 13 | maintainers: 14 | - name: Nirmata 15 | url: https://kyverno.io/ 16 | email: cncf-kyverno-maintainers@lists.cncf.io 17 | kubeVersion: ">=1.16.0-0" 18 | -------------------------------------------------------------------------------- /charts/kyverno-json/templates/clusterroles.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | metadata: 5 | name: {{ include "kyverno-json.fullname" . }} 6 | labels: 7 | {{- include "kyverno-json.labels" . | nindent 4 }} 8 | rules: 9 | - apiGroups: 10 | - json.kyverno.io 11 | resources: 12 | - validationpolicies 13 | verbs: 14 | - get 15 | - list 16 | --- 17 | kind: ClusterRoleBinding 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | metadata: 20 | name: {{ include "kyverno-json.fullname" . }} 21 | labels: 22 | {{- include "kyverno-json.labels" . | nindent 4 }} 23 | roleRef: 24 | apiGroup: rbac.authorization.k8s.io 25 | kind: ClusterRole 26 | name: {{ include "kyverno-json.fullname" . }} 27 | subjects: 28 | - kind: ServiceAccount 29 | name: {{ include "kyverno-json.serviceAccountName" $ }} 30 | namespace: {{ $.Release.Namespace }} 31 | -------------------------------------------------------------------------------- /charts/kyverno-json/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "kyverno-json.fullname" . }} 6 | labels: 7 | {{- include "kyverno-json.labels" . | nindent 4 }} 8 | spec: 9 | scaleTargetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: {{ include "kyverno-json.fullname" . }} 13 | minReplicas: {{ .Values.autoscaling.minReplicas }} 14 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 15 | metrics: 16 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} 17 | - type: Resource 18 | resource: 19 | name: cpu 20 | targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} 21 | {{- end }} 22 | {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} 23 | - type: Resource 24 | resource: 25 | name: memory 26 | targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/kyverno-json/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "kyverno-json.fullname" . }} 5 | labels: 6 | {{- include "kyverno-json.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "kyverno-json.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /charts/kyverno-json/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "kyverno-json.serviceAccountName" . }} 6 | labels: 7 | {{- include "kyverno-json.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /codecov.yml: -------------------------------------------------------------------------------- 1 | ignore: 2 | - pkg/apis/v1alpha1/zz_generated.deepcopy.go 3 | - pkg/apis/v1alpha1/zz_generated.register.go 4 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "os" 5 | 6 | "github.com/kyverno/kyverno-json/pkg/commands" 7 | ) 8 | 9 | func main() { 10 | root := commands.RootCommand() 11 | if err := root.Execute(); err != nil { 12 | os.Exit(1) 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /pkg/apis/doc.go: -------------------------------------------------------------------------------- 1 | package apis 2 | -------------------------------------------------------------------------------- /pkg/apis/policy/v1alpha1/assert.go: -------------------------------------------------------------------------------- 1 | package v1alpha1 2 | 3 | // Assert defines collections of assertions. 4 | type Assert struct { 5 | // Compiler defines the default compiler to use when evaluating expressions. 6 | // +optional 7 | Compiler *Compiler `json:"compiler,omitempty"` 8 | 9 | // Any allows specifying assertions which will be ORed. 10 | // +optional 11 | Any []Assertion `json:"any,omitempty"` 12 | 13 | // All allows specifying assertions which will be ANDed. 14 | // +optional 15 | All []Assertion `json:"all,omitempty"` 16 | } 17 | -------------------------------------------------------------------------------- /pkg/apis/policy/v1alpha1/assertion.go: -------------------------------------------------------------------------------- 1 | package v1alpha1 2 | 3 | // Assertion contains an assertion tree associated with a message. 4 | type Assertion struct { 5 | // Compiler defines the default compiler to use when evaluating expressions. 6 | // +optional 7 | Compiler *Compiler `json:"compiler,omitempty"` 8 | 9 | // Message is the message associated message. 10 | // +optional 11 | Message *Message `json:"message,omitempty"` 12 | 13 | // Check is the assertion check definition. 14 | Check AssertionTree `json:"check"` 15 | } 16 | -------------------------------------------------------------------------------- /pkg/apis/policy/v1alpha1/compiler.go: -------------------------------------------------------------------------------- 1 | package v1alpha1 2 | 3 | // Compiler defines the compiler to use when evaluating expressions. 4 | // +kubebuilder:validation:Enum:=jp;cel 5 | type Compiler string 6 | 7 | const ( 8 | EngineJP Compiler = "jp" 9 | EngineCEL Compiler = "cel" 10 | ) 11 | -------------------------------------------------------------------------------- /pkg/apis/policy/v1alpha1/context_entry.go: -------------------------------------------------------------------------------- 1 | package v1alpha1 2 | 3 | // ContextEntry adds variables and data sources to a rule context. 4 | type ContextEntry struct { 5 | // Compiler defines the default compiler to use when evaluating expressions. 6 | // +optional 7 | Compiler *Compiler `json:"compiler,omitempty"` 8 | 9 | // Name is the entry name. 10 | Name string `json:"name"` 11 | 12 | // Variable defines an arbitrary variable. 13 | // +optional 14 | Variable Any `json:"variable,omitempty"` 15 | } 16 | -------------------------------------------------------------------------------- /pkg/apis/policy/v1alpha1/doc.go: -------------------------------------------------------------------------------- 1 | // Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group 2 | // +k8s:deepcopy-gen=package 3 | // +kubebuilder:object:generate=true 4 | // +groupName=json.kyverno.io 5 | package v1alpha1 6 | -------------------------------------------------------------------------------- /pkg/apis/policy/v1alpha1/feedback.go: -------------------------------------------------------------------------------- 1 | package v1alpha1 2 | 3 | // Feedback contains a feedback entry. 4 | type Feedback struct { 5 | // Compiler defines the default compiler to use when evaluating expressions. 6 | // +optional 7 | Compiler *Compiler `json:"compiler,omitempty"` 8 | 9 | // Name is the feedback entry name. 10 | Name string `json:"name"` 11 | 12 | // Value is the feedback entry value (a JMESPath expression). 13 | // +optional 14 | Value *Any `json:"value,omitempty"` 15 | } 16 | -------------------------------------------------------------------------------- /pkg/apis/policy/v1alpha1/match.go: -------------------------------------------------------------------------------- 1 | package v1alpha1 2 | 3 | // Match defines collections of assertion trees. 4 | type Match struct { 5 | // Compiler defines the default compiler to use when evaluating expressions. 6 | // +optional 7 | Compiler *Compiler `json:"compiler,omitempty"` 8 | 9 | // Any allows specifying assertion trees which will be ORed. 10 | // +optional 11 | Any []AssertionTree `json:"any,omitempty"` 12 | 13 | // All allows specifying assertion trees which will be ANDed. 14 | // +optional 15 | All []AssertionTree `json:"all,omitempty"` 16 | } 17 | -------------------------------------------------------------------------------- /pkg/apis/policy/v1alpha1/message.go: -------------------------------------------------------------------------------- 1 | package v1alpha1 2 | 3 | import ( 4 | "github.com/kyverno/kyverno-json/pkg/core/message" 5 | "k8s.io/apimachinery/pkg/util/json" 6 | ) 7 | 8 | type _message = message.Message 9 | 10 | // Message stores a message template. 11 | // +k8s:deepcopy-gen=false 12 | // +kubebuilder:validation:Type:=string 13 | type Message struct { 14 | _message 15 | } 16 | 17 | func (a *Message) MarshalJSON() ([]byte, error) { 18 | return json.Marshal(a.Original()) 19 | } 20 | 21 | func (a *Message) UnmarshalJSON(data []byte) error { 22 | var v string 23 | err := json.Unmarshal(data, &v) 24 | if err != nil { 25 | return err 26 | } 27 | a._message = message.Parse(v) 28 | return nil 29 | } 30 | 31 | func (in *Message) DeepCopyInto(out *Message) { 32 | out._message = in._message 33 | } 34 | 35 | func (in *Message) DeepCopy() *Message { 36 | if in == nil { 37 | return nil 38 | } 39 | out := new(Message) 40 | in.DeepCopyInto(out) 41 | return out 42 | } 43 | -------------------------------------------------------------------------------- /pkg/apis/policy/v1alpha1/validating_policy.go: -------------------------------------------------------------------------------- 1 | package v1alpha1 2 | 3 | import ( 4 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 5 | ) 6 | 7 | // +genclient 8 | // +genclient:nonNamespaced 9 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 10 | // +kubebuilder:object:root=true 11 | // +kubebuilder:resource:scope=Cluster 12 | 13 | // ValidatingPolicy is the resource that contains the policy definition. 14 | type ValidatingPolicy struct { 15 | metav1.TypeMeta `json:",inline"` 16 | 17 | // Standard object's metadata. 18 | // +optional 19 | metav1.ObjectMeta `json:"metadata,omitempty"` 20 | 21 | // Policy spec. 22 | Spec ValidatingPolicySpec `json:"spec"` 23 | } 24 | 25 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 26 | 27 | // ValidatingPolicyList is a list of ValidatingPolicy instances. 28 | type ValidatingPolicyList struct { 29 | metav1.TypeMeta `json:",inline"` 30 | metav1.ListMeta `json:"metadata"` 31 | Items []ValidatingPolicy `json:"items"` 32 | } 33 | -------------------------------------------------------------------------------- /pkg/apis/policy/v1alpha1/validating_policy_spec.go: -------------------------------------------------------------------------------- 1 | package v1alpha1 2 | 3 | // ValidatingPolicySpec contains the policy spec. 4 | type ValidatingPolicySpec struct { 5 | // Compiler defines the default compiler to use when evaluating expressions. 6 | // +optional 7 | Compiler *Compiler `json:"compiler,omitempty"` 8 | 9 | // Rules is a list of ValidatingRule instances. 10 | Rules []ValidatingRule `json:"rules"` 11 | } 12 | -------------------------------------------------------------------------------- /pkg/catalog/metadata.go: -------------------------------------------------------------------------------- 1 | package catalog 2 | 3 | const ( 4 | TagsLabelSuffix = ".tags.kyverno.io" 5 | AnnotationPolicyDescription = "description.policy.kyverno.io" 6 | AnnotationPolicyTitle = "title.policy.kyverno.io" 7 | ) 8 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/fake/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Code generated by client-gen. DO NOT EDIT. 18 | 19 | // This package has the automatically generated fake clientset. 20 | package fake 21 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/scheme/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Code generated by client-gen. DO NOT EDIT. 18 | 19 | // This package contains the scheme of the automatically generated clientset. 20 | package scheme 21 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/policy/v1alpha1/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Code generated by client-gen. DO NOT EDIT. 18 | 19 | // This package has the automatically generated typed clients. 20 | package v1alpha1 21 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Code generated by client-gen. DO NOT EDIT. 18 | 19 | // Package fake has the automatically generated clients. 20 | package fake 21 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/policy/v1alpha1/generated_expansion.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Code generated by client-gen. DO NOT EDIT. 18 | 19 | package v1alpha1 20 | 21 | type ValidatingPolicyExpansion interface{} 22 | -------------------------------------------------------------------------------- /pkg/client/listers/policy/v1alpha1/expansion_generated.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Code generated by lister-gen. DO NOT EDIT. 18 | 19 | package v1alpha1 20 | 21 | // ValidatingPolicyListerExpansion allows custom methods to be added to 22 | // ValidatingPolicyLister. 23 | type ValidatingPolicyListerExpansion interface{} 24 | -------------------------------------------------------------------------------- /pkg/command/example.go: -------------------------------------------------------------------------------- 1 | package command 2 | 3 | type Example struct { 4 | title string 5 | command string 6 | } 7 | -------------------------------------------------------------------------------- /pkg/command/option.go: -------------------------------------------------------------------------------- 1 | package command 2 | 3 | type option = func(*Command) 4 | 5 | func WithDescription(description ...string) option { 6 | return func(d *Command) { 7 | d.description = description 8 | } 9 | } 10 | 11 | func WithWebsiteUrl(websiteUrl string) option { 12 | return func(d *Command) { 13 | d.websiteUrl = websiteUrl 14 | } 15 | } 16 | 17 | func WithExample(title, command string) option { 18 | return func(d *Command) { 19 | d.examples = append(d.examples, Example{ 20 | title: title, 21 | command: command, 22 | }) 23 | } 24 | } 25 | 26 | func WithExperimental(experimental bool) option { 27 | return func(d *Command) { 28 | d.experimental = experimental 29 | } 30 | } 31 | 32 | func WithParents(parents ...string) option { 33 | return func(d *Command) { 34 | d.parents = parents 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /pkg/commands/docs/options.go: -------------------------------------------------------------------------------- 1 | package docs 2 | 3 | import ( 4 | "errors" 5 | "os" 6 | 7 | "github.com/spf13/cobra" 8 | "github.com/spf13/cobra/doc" 9 | ) 10 | 11 | type options struct { 12 | path string 13 | website bool 14 | autogenTag bool 15 | } 16 | 17 | func (o options) validate(root *cobra.Command) error { 18 | if o.path == "" { 19 | return errors.New("path is required") 20 | } 21 | if root == nil { 22 | return errors.New("root command is required") 23 | } 24 | return nil 25 | } 26 | 27 | func (o options) execute(root *cobra.Command) error { 28 | prepender := empty 29 | linkHandler := identity 30 | if o.website { 31 | prepender = websitePrepender 32 | linkHandler = websiteLinkHandler 33 | } 34 | if _, err := os.Stat(o.path); errors.Is(err, os.ErrNotExist) { 35 | if err := os.MkdirAll(o.path, os.ModeDir|os.ModePerm); err != nil { 36 | return err 37 | } 38 | } 39 | root.DisableAutoGenTag = !o.autogenTag 40 | return doc.GenMarkdownTreeCustom(root, o.path, prepender, linkHandler) 41 | } 42 | -------------------------------------------------------------------------------- /pkg/commands/docs/utils.go: -------------------------------------------------------------------------------- 1 | package docs 2 | 3 | import ( 4 | "fmt" 5 | "path" 6 | "path/filepath" 7 | "strings" 8 | "time" 9 | ) 10 | 11 | const fmTemplate = `--- 12 | date: %s 13 | title: "%s" 14 | weight: 35 15 | --- 16 | ` 17 | 18 | func websitePrepender(filename string) string { 19 | now := time.Now().Format(time.RFC3339) 20 | name := filepath.Base(filename) 21 | base := strings.TrimSuffix(name, path.Ext(name)) 22 | return fmt.Sprintf(fmTemplate, now, strings.Replace(base, "_", " ", -1)) 23 | } 24 | 25 | func websiteLinkHandler(filename string) string { 26 | return "../" + strings.TrimSuffix(filename, filepath.Ext(filename)) 27 | } 28 | 29 | func identity(s string) string { 30 | return s 31 | } 32 | 33 | func empty(s string) string { 34 | return "" 35 | } 36 | -------------------------------------------------------------------------------- /pkg/commands/playground/command.go: -------------------------------------------------------------------------------- 1 | package playground 2 | 3 | import ( 4 | "github.com/gin-gonic/gin" 5 | "github.com/spf13/cobra" 6 | ) 7 | 8 | func Command(parents ...string) *cobra.Command { 9 | var command options 10 | cmd := &cobra.Command{ 11 | Use: "playground", 12 | Short: "playground", 13 | Long: "Serve playground", 14 | Args: cobra.NoArgs, 15 | SilenceUsage: true, 16 | RunE: command.Run, 17 | } 18 | // server flags 19 | cmd.Flags().StringVar(&command.serverFlags.host, "server-host", "0.0.0.0", "server host") 20 | cmd.Flags().IntVar(&command.serverFlags.port, "server-port", 8080, "server port") 21 | // gin flags 22 | cmd.Flags().StringVar(&command.ginFlags.mode, "gin-mode", gin.ReleaseMode, "gin run mode") 23 | cmd.Flags().BoolVar(&command.ginFlags.log, "gin-log", true, "enable gin logger") 24 | cmd.Flags().BoolVar(&command.ginFlags.cors, "gin-cors", true, "enable gin cors") 25 | cmd.Flags().IntVar(&command.ginFlags.maxBodySize, "gin-max-body-size", 2*1024*1024, "gin max body size") 26 | return cmd 27 | } 28 | -------------------------------------------------------------------------------- /pkg/commands/scan/command.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "github.com/spf13/cobra" 5 | ) 6 | 7 | func Command() *cobra.Command { 8 | var command options 9 | cmd := &cobra.Command{ 10 | Use: "scan", 11 | Short: "scan", 12 | Long: "Apply policies to json resources", 13 | Args: cobra.NoArgs, 14 | SilenceUsage: true, 15 | RunE: command.run, 16 | } 17 | cmd.Flags().StringVar(&command.bindings, "bindings", "", "Bindings file (json or yaml file). Top level keys will be interpreted as bindings names.") 18 | cmd.Flags().StringVar(&command.payload, "payload", "", "Path to payload (json or yaml file)") 19 | cmd.Flags().StringSliceVar(&command.preprocessors, "pre-process", nil, "JMESPath expression used to pre process payload") 20 | cmd.Flags().StringSliceVar(&command.policies, "policy", nil, "Path to kyverno-json policies") 21 | cmd.Flags().StringSliceVar(&command.selectors, "labels", nil, "Labels selectors for policies") 22 | cmd.Flags().StringVar(&command.output, "output", "text", "Output format (text or json)") 23 | return cmd 24 | } 25 | -------------------------------------------------------------------------------- /pkg/commands/scan/output.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "io" 7 | 8 | jsonengine "github.com/kyverno/kyverno-json/pkg/json-engine" 9 | ) 10 | 11 | type output interface { 12 | println(args ...any) 13 | responses(responses ...jsonengine.Response) 14 | } 15 | 16 | type textOutput struct { 17 | out io.Writer 18 | } 19 | 20 | func (t *textOutput) println(args ...any) { 21 | fmt.Fprintln(t.out, args...) 22 | } 23 | 24 | func (t *textOutput) responses(responses ...jsonengine.Response) { 25 | } 26 | 27 | type jsonOutput struct { 28 | out io.Writer 29 | } 30 | 31 | func (t *jsonOutput) println(args ...any) { 32 | } 33 | 34 | func (t *jsonOutput) responses(responses ...jsonengine.Response) { 35 | payload, err := json.MarshalIndent(ToReports(responses...), "", " ") 36 | if err != nil { 37 | fmt.Fprintln(t.out, err) 38 | } else { 39 | fmt.Fprintln(t.out, string(payload)) 40 | } 41 | } 42 | 43 | func newOutput(out io.Writer, format string) output { 44 | if format == "json" { 45 | return &jsonOutput{out: out} 46 | } 47 | return &textOutput{out: out} 48 | } 49 | -------------------------------------------------------------------------------- /pkg/commands/serve/provider.go: -------------------------------------------------------------------------------- 1 | package serve 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1" 7 | "github.com/kyverno/kyverno-json/pkg/client/clientset/versioned" 8 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 9 | ) 10 | 11 | type provider struct { 12 | client versioned.Interface 13 | } 14 | 15 | // TODO: use an informer/lister 16 | func (p *provider) Get() ([]v1alpha1.ValidatingPolicy, error) { 17 | list, err := p.client.JsonV1alpha1().ValidatingPolicies().List(context.Background(), metav1.ListOptions{}) 18 | if err != nil { 19 | return nil, err 20 | } 21 | return list.Items, nil 22 | } 23 | -------------------------------------------------------------------------------- /pkg/commands/version/command.go: -------------------------------------------------------------------------------- 1 | package version 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/kyverno/kyverno-json/pkg/command" 7 | "github.com/kyverno/kyverno-json/pkg/version" 8 | "github.com/spf13/cobra" 9 | ) 10 | 11 | func Command(parents ...string) *cobra.Command { 12 | doc := command.New( 13 | command.WithParents(parents...), 14 | command.WithDescription("Print the version informations"), 15 | command.WithExample("Print version infos", "version"), 16 | ) 17 | return &cobra.Command{ 18 | Use: "version", 19 | Short: command.Description(doc, true), 20 | Long: command.Description(doc, false), 21 | Example: command.Examples(doc), 22 | Args: cobra.NoArgs, 23 | SilenceUsage: true, 24 | RunE: func(cmd *cobra.Command, _ []string) error { 25 | fmt.Fprintf(cmd.OutOrStdout(), "Version: %s\n", version.Version()) 26 | fmt.Fprintf(cmd.OutOrStdout(), "Time: %s\n", version.Time()) 27 | fmt.Fprintf(cmd.OutOrStdout(), "Git commit ID: %s\n", version.Hash()) 28 | return nil 29 | }, 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /pkg/core/compilers/cel/cel_test.go: -------------------------------------------------------------------------------- 1 | package cel 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/stretchr/testify/assert" 7 | ) 8 | 9 | func Test_compiler_Compile(t *testing.T) { 10 | c := NewCompiler(DefaultEnv) 11 | _, err := c.Compile("object.?spec") 12 | assert.NoError(t, err) 13 | } 14 | -------------------------------------------------------------------------------- /pkg/core/compilers/cel/val.go: -------------------------------------------------------------------------------- 1 | package cel 2 | 3 | import ( 4 | "reflect" 5 | 6 | "github.com/google/cel-go/common/types" 7 | "github.com/google/cel-go/common/types/ref" 8 | ) 9 | 10 | type Val[T comparable] struct { 11 | inner T 12 | celType ref.Type 13 | } 14 | 15 | func NewVal[T comparable](value T, celType ref.Type) Val[T] { 16 | return Val[T]{ 17 | inner: value, 18 | celType: celType, 19 | } 20 | } 21 | 22 | func (w Val[T]) Unwrap() T { 23 | return w.inner 24 | } 25 | 26 | func (w Val[T]) Value() interface{} { 27 | return w.Unwrap() 28 | } 29 | 30 | func (w Val[T]) ConvertToNative(typeDesc reflect.Type) (interface{}, error) { 31 | panic("not required") 32 | } 33 | 34 | func (w Val[T]) ConvertToType(typeVal ref.Type) ref.Val { 35 | panic("not required") 36 | } 37 | 38 | func (w Val[T]) Equal(other ref.Val) ref.Val { 39 | o, ok := other.Value().(Val[T]) 40 | if !ok { 41 | return types.ValOrErr(other, "no such overload") 42 | } 43 | return types.Bool(o == w) 44 | } 45 | 46 | func (w Val[T]) Type() ref.Type { 47 | return w.celType 48 | } 49 | -------------------------------------------------------------------------------- /pkg/core/compilers/compiler.go: -------------------------------------------------------------------------------- 1 | package compilers 2 | 3 | import ( 4 | "github.com/jmespath-community/go-jmespath/pkg/binding" 5 | ) 6 | 7 | type Program = func(any, binding.Bindings) (any, error) 8 | 9 | type Compiler interface { 10 | Compile(string) (Program, error) 11 | } 12 | 13 | func Execute(statement string, value any, bindings binding.Bindings, compiler Compiler) (any, error) { 14 | program, err := compiler.Compile(statement) 15 | if err != nil { 16 | return nil, err 17 | } 18 | return program(value, bindings) 19 | } 20 | -------------------------------------------------------------------------------- /pkg/core/compilers/compilers.go: -------------------------------------------------------------------------------- 1 | package compilers 2 | 3 | import ( 4 | "github.com/kyverno/kyverno-json/pkg/core/compilers/cel" 5 | "github.com/kyverno/kyverno-json/pkg/core/compilers/jp" 6 | "github.com/kyverno/kyverno-json/pkg/core/expression" 7 | ) 8 | 9 | const ( 10 | CompilerCEL = expression.CompilerCEL 11 | CompilerJP = expression.CompilerJP 12 | ) 13 | 14 | var DefaultCompilers = Compilers{ 15 | Jp: jp.NewCompiler(), 16 | Cel: cel.NewCompiler(cel.DefaultEnv), 17 | } 18 | 19 | type Compilers struct { 20 | Jp jp.Compiler 21 | Cel cel.Compiler 22 | Default cel.Compiler 23 | } 24 | 25 | func (c Compilers) Compiler(compiler string) Compiler { 26 | switch compiler { 27 | case expression.CompilerJP: 28 | return c.Jp 29 | case expression.CompilerCEL: 30 | return c.Cel 31 | case expression.CompilerDefault: 32 | return c.Default 33 | } 34 | return nil 35 | } 36 | 37 | func (c Compilers) WithDefaultCompiler(defaultCompiler string) Compilers { 38 | switch defaultCompiler { 39 | case expression.CompilerJP: 40 | c.Default = c.Jp 41 | case expression.CompilerCEL: 42 | c.Default = c.Cel 43 | } 44 | return c 45 | } 46 | -------------------------------------------------------------------------------- /pkg/core/compilers/jp/options.go: -------------------------------------------------------------------------------- 1 | package jp 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/jmespath-community/go-jmespath/pkg/interpreter" 7 | "github.com/kyverno/kyverno-json/pkg/jp" 8 | ) 9 | 10 | var ( 11 | funcs = jp.GetFunctions(context.Background()) 12 | defaultCaller = interpreter.NewFunctionCaller(funcs...) 13 | ) 14 | 15 | type Option func(options) options 16 | 17 | type options struct { 18 | functionCaller interpreter.FunctionCaller 19 | } 20 | 21 | func WithFunctionCaller(functionCaller interpreter.FunctionCaller) Option { 22 | return func(o options) options { 23 | o.functionCaller = functionCaller 24 | return o 25 | } 26 | } 27 | 28 | func buildOptions(opts ...Option) options { 29 | var o options 30 | for _, opt := range opts { 31 | if opt != nil { 32 | o = opt(o) 33 | } 34 | } 35 | if o.functionCaller == nil { 36 | o.functionCaller = defaultCaller 37 | } 38 | return o 39 | } 40 | -------------------------------------------------------------------------------- /pkg/core/matching/number.go: -------------------------------------------------------------------------------- 1 | package matching 2 | 3 | import ( 4 | "reflect" 5 | ) 6 | 7 | func ToNumber(value reflect.Value) (float64, bool) { 8 | if value.CanFloat() { 9 | return value.Float(), true 10 | } 11 | if value.CanInt() { 12 | return float64(value.Int()), true 13 | } 14 | if value.CanUint() { 15 | return float64(value.Uint()), true 16 | } 17 | return 0, false 18 | } 19 | -------------------------------------------------------------------------------- /pkg/data/data.go: -------------------------------------------------------------------------------- 1 | package data 2 | 3 | import ( 4 | "embed" 5 | "io/fs" 6 | ) 7 | 8 | const crdsFolder = "crds" 9 | 10 | //go:embed crds 11 | var crdsFs embed.FS 12 | 13 | func Crds() (fs.FS, error) { 14 | return fs.Sub(crdsFs, crdsFolder) 15 | } 16 | -------------------------------------------------------------------------------- /pkg/data/data_test.go: -------------------------------------------------------------------------------- 1 | package data 2 | 3 | import ( 4 | "io/fs" 5 | "testing" 6 | 7 | "github.com/stretchr/testify/assert" 8 | ) 9 | 10 | func TestCrds(t *testing.T) { 11 | data, err := Crds() 12 | assert.NoError(t, err) 13 | { 14 | file, err := fs.Stat(data, "json.kyverno.io_validatingpolicies.yaml") 15 | assert.NoError(t, err) 16 | assert.NotNil(t, file) 17 | assert.False(t, file.IsDir()) 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /pkg/engine/blocks/constant/constant.go: -------------------------------------------------------------------------------- 1 | package constant 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/kyverno/kyverno-json/pkg/engine" 7 | ) 8 | 9 | type constant[TREQUEST any, TRESPONSE any] struct { 10 | response TRESPONSE 11 | } 12 | 13 | func (b *constant[TREQUEST, TRESPONSE]) Run(_ context.Context, _ TREQUEST) TRESPONSE { 14 | return b.response 15 | } 16 | 17 | func New[TREQUEST any, TRESPONSE any](response TRESPONSE) engine.Engine[TREQUEST, TRESPONSE] { 18 | return &constant[TREQUEST, TRESPONSE]{ 19 | response: response, 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /pkg/engine/blocks/function/function.go: -------------------------------------------------------------------------------- 1 | package function 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/kyverno/kyverno-json/pkg/engine" 7 | ) 8 | 9 | type function[TREQUEST any, TRESPONSE any] struct { 10 | function func(context.Context, TREQUEST) TRESPONSE 11 | } 12 | 13 | func (b *function[TREQUEST, TRESPONSE]) Run(ctx context.Context, request TREQUEST) TRESPONSE { 14 | return b.function(ctx, request) 15 | } 16 | 17 | func New[TREQUEST any, TRESPONSE any](f func(context.Context, TREQUEST) TRESPONSE) engine.Engine[TREQUEST, TRESPONSE] { 18 | return &function[TREQUEST, TRESPONSE]{ 19 | function: f, 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /pkg/engine/builder/builder.go: -------------------------------------------------------------------------------- 1 | package builder 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/kyverno/kyverno-json/pkg/engine" 7 | "github.com/kyverno/kyverno-json/pkg/engine/blocks/constant" 8 | "github.com/kyverno/kyverno-json/pkg/engine/blocks/function" 9 | ) 10 | 11 | type Engine[TREQUEST any, TRESPONSE any] struct { 12 | engine.Engine[TREQUEST, TRESPONSE] 13 | } 14 | 15 | func new[TREQUEST any, TRESPONSE any](engine engine.Engine[TREQUEST, TRESPONSE]) Engine[TREQUEST, TRESPONSE] { 16 | return Engine[TREQUEST, TRESPONSE]{engine} 17 | } 18 | 19 | func Constant[TREQUEST any, TRESPONSE any](response TRESPONSE) Engine[TREQUEST, TRESPONSE] { 20 | return new(constant.New[TREQUEST](response)) 21 | } 22 | 23 | func Function[TREQUEST any, TRESPONSE any](f func(context.Context, TREQUEST) TRESPONSE) Engine[TREQUEST, TRESPONSE] { 24 | return new(function.New(f)) 25 | } 26 | -------------------------------------------------------------------------------- /pkg/engine/engine.go: -------------------------------------------------------------------------------- 1 | package engine 2 | 3 | import ( 4 | "context" 5 | ) 6 | 7 | // TODO: 8 | // - tracing 9 | // - explain 10 | 11 | type Engine[TREQUEST any, TRESPONSE any] interface { 12 | Run(context.Context, TREQUEST) TRESPONSE 13 | } 14 | -------------------------------------------------------------------------------- /pkg/jp/functions.go: -------------------------------------------------------------------------------- 1 | package jp 2 | 3 | import ( 4 | "context" 5 | 6 | jpfunctions "github.com/jmespath-community/go-jmespath/pkg/functions" 7 | "github.com/kyverno/kyverno-json/pkg/jp/functions" 8 | kyvernofunctions "github.com/kyverno/kyverno-json/pkg/jp/kyverno" 9 | ) 10 | 11 | func GetFunctions(ctx context.Context) []jpfunctions.FunctionEntry { 12 | var funcs []jpfunctions.FunctionEntry 13 | funcs = append(funcs, jpfunctions.GetDefaultFunctions()...) 14 | funcs = append(funcs, functions.GetFunctions()...) 15 | funcs = append(funcs, kyvernofunctions.GetBareFunctions()...) 16 | return funcs 17 | } 18 | -------------------------------------------------------------------------------- /pkg/jp/functions/at.go: -------------------------------------------------------------------------------- 1 | package functions 2 | 3 | import ( 4 | "errors" 5 | ) 6 | 7 | func jpfAt(arguments []any) (any, error) { 8 | if slice, ok := arguments[0].([]any); !ok { 9 | return nil, errors.New("invalid type, first argument must be an array") 10 | } else if index, ok := arguments[1].(float64); !ok { 11 | return nil, errors.New("invalid type, second argument must be an int") 12 | } else { 13 | return slice[int(index)], nil 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /pkg/jp/functions/concat.go: -------------------------------------------------------------------------------- 1 | package functions 2 | 3 | import ( 4 | "errors" 5 | ) 6 | 7 | func jpfConcat(arguments []any) (any, error) { 8 | if left, ok := arguments[0].(string); !ok { 9 | return nil, errors.New("invalid type, first argument must be a string") 10 | } else if right, ok := arguments[1].(string); !ok { 11 | return nil, errors.New("invalid type, second argument must be a string") 12 | } else { 13 | return left + right, nil 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /pkg/jp/functions/json_parse.go: -------------------------------------------------------------------------------- 1 | package functions 2 | 3 | import ( 4 | "errors" 5 | 6 | "k8s.io/apimachinery/pkg/util/json" 7 | ) 8 | 9 | func jpfJsonParse(arguments []any) (any, error) { 10 | if data, ok := arguments[0].(string); !ok { 11 | return nil, errors.New("invalid type, first argument must be a string") 12 | } else { 13 | var result any 14 | err := json.Unmarshal([]byte(data), &result) 15 | if err != nil { 16 | return nil, err 17 | } 18 | return result, nil 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /pkg/jp/functions/wildcard.go: -------------------------------------------------------------------------------- 1 | package functions 2 | 3 | import ( 4 | "errors" 5 | 6 | "github.com/kyverno/pkg/ext/wildcard" 7 | ) 8 | 9 | func jpfWildcard(arguments []any) (any, error) { 10 | if pattern, ok := arguments[0].(string); !ok { 11 | return nil, errors.New("invalid type, first argument must be a string") 12 | } else if name, ok := arguments[1].(string); !ok { 13 | return nil, errors.New("invalid type, second argument must be a string") 14 | } else { 15 | return wildcard.Match(pattern, name), nil 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /pkg/jp/kyverno/error.go: -------------------------------------------------------------------------------- 1 | package jmespath 2 | 3 | import ( 4 | "fmt" 5 | ) 6 | 7 | const ( 8 | errorPrefix = "JMESPath function '%s': " 9 | invalidArgumentTypeError = errorPrefix + "argument #%d is not of type %s" 10 | genericError = errorPrefix + "%s" 11 | argOutOfBoundsError = errorPrefix + "%d argument is out of bounds (%d)" 12 | zeroDivisionError = errorPrefix + "Zero divisor passed" 13 | nonIntModuloError = errorPrefix + "Non-integer argument(s) passed for modulo" 14 | typeMismatchError = errorPrefix + "Types mismatch" 15 | nonIntRoundError = errorPrefix + "Non-integer argument(s) passed for round off" 16 | ) 17 | 18 | func formatError(format string, function string, values ...any) error { 19 | args := []any{function} 20 | args = append(args, values...) 21 | return fmt.Errorf(format, args...) 22 | } 23 | -------------------------------------------------------------------------------- /pkg/jp/kyverno/utils.go: -------------------------------------------------------------------------------- 1 | package jmespath 2 | 3 | import ( 4 | "fmt" 5 | "math" 6 | "reflect" 7 | ) 8 | 9 | func validateArg(f string, arguments []any, index int, expectedType reflect.Kind) (reflect.Value, error) { 10 | if index >= len(arguments) { 11 | return reflect.Value{}, formatError(argOutOfBoundsError, f, index+1, len(arguments)) 12 | } 13 | if arguments[index] == nil { 14 | return reflect.Value{}, formatError(invalidArgumentTypeError, f, index+1, expectedType.String()) 15 | } 16 | arg := reflect.ValueOf(arguments[index]) 17 | if arg.Type().Kind() != expectedType { 18 | return reflect.Value{}, formatError(invalidArgumentTypeError, f, index+1, expectedType.String()) 19 | } 20 | return arg, nil 21 | } 22 | 23 | func intNumber(number float64) (int, error) { 24 | if math.IsInf(number, 0) || math.IsNaN(number) || math.Trunc(number) != number { 25 | return 0, fmt.Errorf("expected an integer number but got: %g", number) 26 | } 27 | intNumber := int(number) 28 | if float64(intNumber) != number { 29 | return 0, fmt.Errorf("number is outside the range of integer numbers: %g", number) 30 | } 31 | return intNumber, nil 32 | } 33 | -------------------------------------------------------------------------------- /pkg/server/linux.go: -------------------------------------------------------------------------------- 1 | //go:build !js && !wasm 2 | 3 | package server 4 | 5 | import ( 6 | "context" 7 | "fmt" 8 | "log" 9 | "net/http" 10 | "time" 11 | ) 12 | 13 | func Run(_ context.Context, s Server, host string, port int) Shutdown { 14 | address := fmt.Sprintf("%v:%v", host, port) 15 | srv := &http.Server{ 16 | Addr: address, 17 | Handler: s.Handler(), 18 | ReadHeaderTimeout: 3 * time.Second, 19 | } 20 | go func() { 21 | if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed { 22 | panic(err) 23 | } 24 | }() 25 | log.Default().Printf("listening to requests on %s:%d", host, port) 26 | return srv.Shutdown 27 | } 28 | -------------------------------------------------------------------------------- /pkg/server/playground/request.go: -------------------------------------------------------------------------------- 1 | package playground 2 | 3 | type Request struct { 4 | Payload string `json:"payload"` 5 | Preprocessors []string `json:"preprocessors"` 6 | Policy string `json:"policy"` 7 | } 8 | -------------------------------------------------------------------------------- /pkg/server/playground/routes.go: -------------------------------------------------------------------------------- 1 | package playground 2 | 3 | import ( 4 | "github.com/gin-gonic/gin" 5 | ) 6 | 7 | func AddRoutes(group *gin.RouterGroup) error { 8 | handler, err := newHandler() 9 | if err != nil { 10 | return err 11 | } 12 | group.POST("/scan", handler) 13 | return nil 14 | } 15 | -------------------------------------------------------------------------------- /pkg/server/scan/config.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1" 5 | ) 6 | 7 | type PolicyProvider interface { 8 | Get() ([]v1alpha1.ValidatingPolicy, error) 9 | } 10 | -------------------------------------------------------------------------------- /pkg/server/scan/request.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | type Request struct { 4 | Payload any `json:"payload"` 5 | Preprocessors []string `json:"preprocessors"` 6 | } 7 | -------------------------------------------------------------------------------- /pkg/server/scan/routes.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "log" 5 | 6 | "github.com/gin-gonic/gin" 7 | ) 8 | 9 | func AddRoutes(group *gin.RouterGroup, policyProvider PolicyProvider) error { 10 | handler, err := newHandler(policyProvider) 11 | if err != nil { 12 | return err 13 | } 14 | group.POST("/scan", handler) 15 | log.Default().Printf("configured route %s/%s", group.BasePath(), "scan") 16 | return nil 17 | } 18 | -------------------------------------------------------------------------------- /pkg/server/server.go: -------------------------------------------------------------------------------- 1 | package server 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/gin-contrib/cors" 7 | "github.com/gin-gonic/gin" 8 | ) 9 | 10 | const ( 11 | ApiPrefix = "/api" 12 | PlaygroundPrefix = "/playground" 13 | ) 14 | 15 | type Shutdown = func(context.Context) error 16 | 17 | type Server = *gin.Engine 18 | 19 | func New(enableLogger bool, enableCors bool) (Server, error) { 20 | router := gin.New() 21 | if enableLogger { 22 | router.Use(gin.Logger()) 23 | } 24 | router.Use(gin.Recovery()) 25 | if enableCors { 26 | router.Use(cors.New(cors.Config{ 27 | AllowOrigins: []string{"*"}, 28 | AllowMethods: []string{"POST", "GET", "HEAD"}, 29 | AllowHeaders: []string{"Origin", "Content-Type"}, 30 | ExposeHeaders: []string{"Content-Length"}, 31 | })) 32 | } 33 | return router, nil 34 | } 35 | -------------------------------------------------------------------------------- /pkg/server/ui/embed.go: -------------------------------------------------------------------------------- 1 | package ui 2 | 3 | import ( 4 | "embed" 5 | ) 6 | 7 | //go:embed dist 8 | var staticFiles embed.FS 9 | -------------------------------------------------------------------------------- /pkg/server/ui/routes.go: -------------------------------------------------------------------------------- 1 | package ui 2 | 3 | import ( 4 | "io/fs" 5 | "net/http" 6 | 7 | "github.com/gin-gonic/gin" 8 | ) 9 | 10 | func AddRoutes(router *gin.Engine) error { 11 | fs, err := fs.Sub(staticFiles, "dist") 12 | if err != nil { 13 | return err 14 | } 15 | fileServer := http.FileServer(http.FS(fs)) 16 | router.NoRoute(func(c *gin.Context) { 17 | fileServer.ServeHTTP(c.Writer, c.Request) 18 | }) 19 | return nil 20 | } 21 | -------------------------------------------------------------------------------- /pkg/server/wasm.go: -------------------------------------------------------------------------------- 1 | //go:build js && wasm 2 | 3 | package server 4 | 5 | import ( 6 | "context" 7 | 8 | wasmhttp "github.com/nlepage/go-wasm-http-server" 9 | ) 10 | 11 | func RunWasm(_ context.Context, s Server) { 12 | wasmhttp.Serve(s.Handler()) 13 | } 14 | -------------------------------------------------------------------------------- /pkg/utils/copy/deep_copy.go: -------------------------------------------------------------------------------- 1 | package copy 2 | 3 | import ( 4 | "fmt" 5 | ) 6 | 7 | func DeepCopy(in any) any { 8 | if in == nil { 9 | return nil 10 | } 11 | switch in := in.(type) { 12 | case string: 13 | return in 14 | case int: 15 | return in 16 | case int32: 17 | return in 18 | case int64: 19 | return in 20 | case float32: 21 | return in 22 | case float64: 23 | return in 24 | case bool: 25 | return in 26 | case []any: 27 | var out []any 28 | for _, in := range in { 29 | out = append(out, DeepCopy(in)) 30 | } 31 | return out 32 | case map[string]any: 33 | out := map[string]any{} 34 | for k, in := range in { 35 | out[k] = DeepCopy(in) 36 | } 37 | return out 38 | } 39 | panic(fmt.Sprintf("deep copy failed - unrecognized type %T", in)) 40 | } 41 | -------------------------------------------------------------------------------- /pkg/utils/hash/hash.go: -------------------------------------------------------------------------------- 1 | package hash 2 | 3 | import ( 4 | "crypto/md5" //nolint:gosec 5 | "encoding/hex" 6 | "encoding/json" 7 | ) 8 | 9 | func Hash(in any) string { 10 | if in == nil { 11 | return "" 12 | } 13 | bytes, err := json.Marshal(in) 14 | if err != nil { 15 | return "" 16 | } 17 | hash := md5.Sum(bytes) //nolint:gosec 18 | return hex.EncodeToString(hash[:]) 19 | } 20 | -------------------------------------------------------------------------------- /pkg/utils/reflect/kind.go: -------------------------------------------------------------------------------- 1 | package reflect 2 | 3 | import ( 4 | "reflect" 5 | ) 6 | 7 | func GetKind(value any) reflect.Kind { 8 | if value == nil { 9 | return reflect.Invalid 10 | } 11 | return reflect.TypeOf(value).Kind() 12 | } 13 | -------------------------------------------------------------------------------- /pkg/utils/reflect/kind_test.go: -------------------------------------------------------------------------------- 1 | package reflect 2 | 3 | import ( 4 | "reflect" 5 | "testing" 6 | ) 7 | 8 | func TestGetKind(t *testing.T) { 9 | tests := []struct { 10 | name string 11 | value any 12 | want reflect.Kind 13 | }{{ 14 | name: "nil", 15 | value: nil, 16 | want: reflect.Invalid, 17 | }, { 18 | name: "int", 19 | value: int(42), 20 | want: reflect.Int, 21 | }, { 22 | name: "int32", 23 | value: int32(42), 24 | want: reflect.Int32, 25 | }, { 26 | name: "int64", 27 | value: int64(42), 28 | want: reflect.Int64, 29 | }, { 30 | name: "string", 31 | value: "foo", 32 | want: reflect.String, 33 | }, { 34 | name: "map", 35 | value: map[any]any{}, 36 | want: reflect.Map, 37 | }, { 38 | name: "slice", 39 | value: []any{}, 40 | want: reflect.Slice, 41 | }} 42 | for _, tt := range tests { 43 | t.Run(tt.name, func(t *testing.T) { 44 | if got := GetKind(tt.value); got != tt.want { 45 | t.Errorf("GetKind() = %v, want %v", got, tt.want) 46 | } 47 | }) 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /pkg/utils/rest/rest.go: -------------------------------------------------------------------------------- 1 | package rest 2 | 3 | import ( 4 | "k8s.io/client-go/rest" 5 | "k8s.io/client-go/tools/clientcmd" 6 | ) 7 | 8 | func Config(overrides clientcmd.ConfigOverrides) (*rest.Config, error) { 9 | loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() 10 | kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &overrides) 11 | config, err := kubeConfig.ClientConfig() 12 | if err != nil { 13 | return nil, err 14 | } 15 | config.QPS = 300 16 | config.Burst = 300 17 | return config, nil 18 | } 19 | -------------------------------------------------------------------------------- /playground-examples.yaml: -------------------------------------------------------------------------------- 1 | # categories 2 | Dockerfile: 3 | check-dockerfile: 4 | policy: test/commands/scan/dockerfile/policy.yaml 5 | payload: test/commands/scan/dockerfile/payload.json 6 | Terraform: 7 | terraform-s3: 8 | policy: test/commands/scan/tf-s3/policy.yaml 9 | payload: test/commands/scan/tf-s3/payload.json 10 | Kubernetes: 11 | pod-no-latest: 12 | policy: test/commands/scan/pod-no-latest/policy.yaml 13 | payload: test/commands/scan/pod-no-latest/payload.yaml 14 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | cairosvg 2 | lunr 3 | mike 4 | mkdocs 5 | mkdocs-include-markdown-plugin 6 | mkdocs-material 7 | mkdocs-minify-plugin 8 | mkdocs-redirects 9 | mkdocs-rss-plugin 10 | openapi2jsonschema 11 | Pillow 12 | -------------------------------------------------------------------------------- /test/api/README.md: -------------------------------------------------------------------------------- 1 | # Test for running the api 2 | 3 | ## Create a cluster 4 | 5 | ```bash 6 | make kind-create 7 | ``` 8 | 9 | ## Install CRDs 10 | 11 | ```bash 12 | make install-crds 13 | ``` 14 | 15 | ## Deploy a policy 16 | 17 | ```bash 18 | kubectl apply -f - < bar 4 | Loading payload ... 5 | Pre processing ... 6 | Running ( evaluating 1 resource against 1 policy ) ... 7 | - PASSED (POLICY=test, RULE=foo-bar-4) 8 | Done 9 | -------------------------------------------------------------------------------- /test/commands/scan/bindings/payload.yaml: -------------------------------------------------------------------------------- 1 | foo: 2 | bar: 4 3 | -------------------------------------------------------------------------------- /test/commands/scan/bindings/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: 6 | rules: 7 | - name: foo-bar-4 8 | match: 9 | all: 10 | - ($foo): bar 11 | assert: 12 | all: 13 | - check: 14 | foo: 15 | bar: 4 16 | -------------------------------------------------------------------------------- /test/commands/scan/cel/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - PASSED (POLICY=test, RULE=foo-bar-4) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/cel/payload.yaml: -------------------------------------------------------------------------------- 1 | foo: 2 | bar: 4 3 | -------------------------------------------------------------------------------- /test/commands/scan/cel/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: 6 | compiler: cel 7 | rules: 8 | - name: foo-bar-4 9 | context: 10 | - name: celFoo 11 | variable: (4) 12 | - name: jpFoo 13 | compiler: jp 14 | variable: ($celFoo) 15 | - name: celFoo 16 | variable: (bindings.resolve('jpFoo')) 17 | assert: 18 | all: 19 | - check: 20 | (object.foo.bar): (bindings.resolve('celFoo')) 21 | -------------------------------------------------------------------------------- /test/commands/scan/dockerfile/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG BUILD_PLATFORM="linux/amd64" 2 | ARG BUILDER_IMAGE="golang:1.20.6-alpine3.18" 3 | 4 | FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder 5 | 6 | WORKDIR / 7 | COPY . ./ 8 | 9 | # Get Signer plugin binary 10 | ARG SIGNER_BINARY_LINK="https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip" 11 | ARG SIGNER_BINARY_FILE="notation-aws-signer-plugin.zip" 12 | RUN wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK} 13 | RUN apk update && \ 14 | apk add unzip && \ 15 | unzip -o ${SIGNER_BINARY_FILE} 16 | 17 | # Build Go binary 18 | RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-w -s" -o kyverno-notation-aws . 19 | 20 | FROM gcr.io/distroless/static:nonroot 21 | WORKDIR / 22 | 23 | # Notation home 24 | ENV PLUGINS_DIR=/plugins 25 | 26 | COPY --from=builder notation-com.amazonaws.signer.notation.plugin plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin 27 | 28 | COPY --from=builder kyverno-notation-aws kyverno-notation-aws 29 | ENTRYPOINT ["/kyverno-notation-aws"] 30 | -------------------------------------------------------------------------------- /test/commands/scan/dockerfile/README.md: -------------------------------------------------------------------------------- 1 | # Apply policies on a Dockerfile 2 | 3 | 1. Download a Dockerfile 4 | 5 | ``` 6 | curl https://raw.githubusercontent.com/nirmata/kyverno-notation-aws/main/Dockerfile /tmp/Dockefile 7 | ``` 8 | 9 | 2. Convert to JSON 10 | 11 | Install `dockerfile-json`: https://github.com/keilerkonzept/dockerfile-json#get-it 12 | 13 | ``` 14 | dockerfile-json ~/go/src/github.com/jimbugwadia/kyverno-notation-aws/Dockerfile | jq > input.json 15 | ``` 16 | 17 | 3. Apply policy 18 | 19 | ``` 20 | /kyverno-json scan --policy testdata/dockerfile/policy-check-external.yaml --payload testdata/dockerfile/input.json 21 | ``` 22 | 23 | Results: 24 | 25 | ``` 26 | Loading policies ... 27 | Loading payload ... 28 | Pre processing ... 29 | Running ( evaluating 1 resource against 1 policy ) ... 30 | - check-dockerfile / no-http / FAILED: HTTP calls are not allowed 31 | - check-dockerfile / no-curl-wget / FAILED: curl / wget are not allowed 32 | Done 33 | ``` -------------------------------------------------------------------------------- /test/commands/scan/dockerfile/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - FAILED (POLICY=check-dockerfile, RULE=deny-external-calls) 6 | -> HTTP calls are not allowed (CHECK=spec.rules[0].assert.all[0]) 7 | -> Invalid value: true: Expected value: false (PATH=~.(Stages[].Commands[].Args[].Value)[0].(contains(@, 'https://') || contains(@, 'http://'))) 8 | -> wget is not allowed (CHECK=spec.rules[0].assert.all[3]) 9 | -> Invalid value: true: Expected value: false (PATH=~.(Stages[].Commands[].CmdLine[])[0].(contains(@, 'wget'))) 10 | Done 11 | -------------------------------------------------------------------------------- /test/commands/scan/dockerfile/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: check-dockerfile 5 | spec: 6 | rules: 7 | - name: deny-external-calls 8 | assert: 9 | all: 10 | - message: HTTP calls are not allowed 11 | check: 12 | ~.(Stages[].Commands[].Args[].Value): 13 | (contains(@, 'https://') || contains(@, 'http://')): false 14 | - message: HTTP calls are not allowed 15 | check: 16 | ~.(Stages[].Commands[].CmdLine[]): 17 | (contains(@, 'https://') || contains(@, 'http://')): false 18 | - message: curl is not allowed 19 | check: 20 | ~.(Stages[].Commands[].CmdLine[]): 21 | (contains(@, 'curl')): false 22 | - message: wget is not allowed 23 | check: 24 | ~.(Stages[].Commands[].CmdLine[]): 25 | (contains(@, 'wget')): false 26 | -------------------------------------------------------------------------------- /test/commands/scan/escaped/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - PASSED (POLICY=test, RULE=foo-bar-4) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/escaped/payload.yaml: -------------------------------------------------------------------------------- 1 | foo: 2 | (bar): 4 3 | (bar)->test: 6 4 | ~foos: 5 | - 1 6 | - 2 7 | - 3 8 | -------------------------------------------------------------------------------- /test/commands/scan/escaped/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: 6 | rules: 7 | - name: foo-bar-4 8 | assert: 9 | all: 10 | - check: 11 | foo: 12 | \(bar)\: 4 13 | - check: 14 | foo: 15 | \(bar)\->test: 16 | ($test): 4 17 | - check: 18 | foo: 19 | \(bar)->test\: 6 20 | - check: 21 | foo: 22 | \(bar)->test\->test: 23 | ($test): 6 24 | - check: 25 | foo: 26 | \~foos\: 27 | - 1 28 | - 2 29 | - 3 30 | -------------------------------------------------------------------------------- /test/commands/scan/foo-bar/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - PASSED (POLICY=test, RULE=foo-bar-4) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/foo-bar/payload.yaml: -------------------------------------------------------------------------------- 1 | foo: 2 | bar: 4 3 | -------------------------------------------------------------------------------- /test/commands/scan/foo-bar/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: 6 | rules: 7 | - name: foo-bar-4 8 | assert: 9 | all: 10 | - check: 11 | foo: 12 | bar: 4 13 | -------------------------------------------------------------------------------- /test/commands/scan/payload-yaml/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - FAILED (POLICY=required-s3-tags, RULE=require-team-tag, ID=aws_s3_bucket.example) 6 | -> Bucket `example` (aws_s3_bucket.example) does not have the required tags {"Team":"Kyverno"} (CHECK=spec.rules[0].assert.all[0]) 7 | -> Invalid value: map[string]interface {}{"Environment":"Dev", "Name":"My bucket"}: Expected value: map[string]interface {}{"Team":"Kyverno"} (PATH=values.tags) 8 | Done 9 | -------------------------------------------------------------------------------- /test/commands/scan/payload-yaml/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: required-s3-tags 5 | spec: 6 | rules: 7 | - name: require-team-tag 8 | identifier: "address" 9 | match: 10 | any: 11 | - type: aws_s3_bucket 12 | context: 13 | - name: tags 14 | variable: 15 | Team: Kyverno 16 | assert: 17 | all: 18 | - message: Bucket `{{ name }}` ({{ address }}) does not have the required tags {{ to_string($tags) }} 19 | check: 20 | values: 21 | tags: ($tags) 22 | -------------------------------------------------------------------------------- /test/commands/scan/pod-all-latest/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - PASSED (POLICY=test, RULE=pod-no-latest, ID=webserver) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/pod-all-latest/payload.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: webserver 5 | spec: 6 | containers: 7 | - name: webserver-1 8 | image: nginx:latest 9 | ports: 10 | - containerPort: 80 11 | - name: webserver-2 12 | image: nginx:latest 13 | ports: 14 | - containerPort: 80 15 | - name: webserver-3 16 | image: nginx:latest 17 | ports: 18 | - containerPort: 80 19 | -------------------------------------------------------------------------------- /test/commands/scan/pod-all-latest/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: 6 | rules: 7 | - name: pod-no-latest 8 | context: 9 | - name: tag 10 | variable: latest 11 | - name: tag 12 | variable: (concat(':', $tag)) 13 | match: 14 | any: 15 | - apiVersion: v1 16 | kind: Pod 17 | identifier: "metadata.name" 18 | assert: 19 | all: 20 | - check: 21 | ~.(spec.containers[*].image): 22 | # an image tag is required 23 | (contains(@, ':')): true 24 | # using a mutable image tag e.g. 'latest' is not allowed 25 | (ends_with(@, $tag)): true 26 | -------------------------------------------------------------------------------- /test/commands/scan/pod-no-latest/payload.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: webserver 5 | spec: 6 | containers: 7 | - name: webserver-1 8 | image: nginx:latest 9 | ports: 10 | - containerPort: 80 11 | - name: webserver-2 12 | image: nginx:latest 13 | ports: 14 | - containerPort: 80 15 | - name: webserver-3 16 | image: nginx:latest 17 | ports: 18 | - containerPort: 80 19 | -------------------------------------------------------------------------------- /test/commands/scan/scripted/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - PASSED (POLICY=test, RULE=foo-bar-4) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/scripted/payload.yaml: -------------------------------------------------------------------------------- 1 | foo: 2 | baz: true 3 | bar: 4 4 | bat: 6 5 | -------------------------------------------------------------------------------- /test/commands/scan/scripted/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: 6 | rules: 7 | - name: foo-bar-4 8 | assert: 9 | all: 10 | - check: 11 | foo: 12 | (bar > `3`): true 13 | (!baz): false 14 | - check: 15 | foo: 16 | (bar + bat): 10 17 | -------------------------------------------------------------------------------- /test/commands/scan/tf-ec2/ec2.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = "~> 4.16" 6 | } 7 | } 8 | 9 | required_version = ">= 1.2.0" 10 | } 11 | 12 | provider "aws" { 13 | region = "us-west-2" 14 | } 15 | 16 | resource "aws_instance" "app_server" { 17 | ami = "ami-830c94e3" 18 | instance_type = "t2.micro" 19 | 20 | tags = { 21 | Name = "ExampleAppServerInstance" 22 | } 23 | } -------------------------------------------------------------------------------- /test/commands/scan/tf-ec2/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - PASSED (POLICY=required-ec2-tags, RULE=require-team-tag) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/tf-ec2/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: required-ec2-tags 5 | spec: 6 | rules: 7 | - name: require-team-tag 8 | match: 9 | any: 10 | - type: aws_instance 11 | assert: 12 | all: 13 | - check: 14 | values: 15 | tags: 16 | (contains('@', Team)): false 17 | -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-cluster/01-out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 3 resources against 1 policy ) ... 5 | - PASSED (POLICY=required-container-insights, RULE=required-container-insights) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-cluster/01-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: required-container-insights 5 | spec: 6 | rules: 7 | - name: required-container-insights 8 | match: 9 | any: 10 | - type: aws_ecs_cluster 11 | assert: 12 | all: 13 | - message: "Container insights should be enabled on ECS cluster" 14 | check: 15 | values: 16 | ~.setting: 17 | name: containerInsights 18 | value: enabled 19 | 20 | 21 | -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-cluster/02-out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 3 resources against 1 policy ) ... 5 | - PASSED (POLICY=ecs-cluster-enable-logging, RULE=ecs-cluster-enable-logging) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-cluster/02-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: ecs-cluster-enable-logging 5 | spec: 6 | rules: 7 | - name: ecs-cluster-enable-logging 8 | match: 9 | any: 10 | - type: aws_ecs_cluster 11 | context: 12 | - name: forbidden_values 13 | variable: ["NONE"] 14 | assert: 15 | all: 16 | - message: "ECS Cluster should enable logging of ECS Exec" 17 | check: 18 | values: 19 | ~.configuration: 20 | ~.execute_command_configuration: 21 | (contains($forbidden_values, @.logging)): false 22 | -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-cluster/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_kms_key" "example" { 2 | description = "example" 3 | deletion_window_in_days = 7 4 | } 5 | 6 | resource "aws_cloudwatch_log_group" "example" { 7 | name = "example" 8 | } 9 | 10 | resource "aws_ecs_cluster" "test" { 11 | name = "example" 12 | 13 | configuration { 14 | execute_command_configuration { 15 | kms_key_id = aws_kms_key.example.arn 16 | logging = "OVERRIDE" 17 | 18 | log_configuration { 19 | cloud_watch_encryption_enabled = true 20 | cloud_watch_log_group_name = aws_cloudwatch_log_group.example.name 21 | } 22 | } 23 | } 24 | 25 | setting { 26 | name = "containerInsights" 27 | value = "enabled" 28 | } 29 | } -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-service/01-out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - PASSED (POLICY=required-latest-platform-fargate, RULE=required-latest-platform) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-service/01-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: required-latest-platform-fargate 5 | spec: 6 | rules: 7 | - name: required-latest-platform 8 | match: 9 | any: 10 | - type: aws_ecs_service 11 | values: 12 | launch_type: FARGATE 13 | context: 14 | - name: pv 15 | variable: platform_version 16 | assert: 17 | all: 18 | - message: "ECS Fargate services should run on the latest Fargate platform version" 19 | check: 20 | values: 21 | platform_version: 'LATEST' -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-service/02-out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - PASSED (POLICY=ecs-public-ip, RULE=ecs-public-ip) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-service/02-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: ecs-public-ip 5 | spec: 6 | rules: 7 | - name: ecs-public-ip 8 | match: 9 | any: 10 | - type: aws_ecs_service 11 | context: 12 | - name: allowed-values 13 | variable: [false] 14 | assert: 15 | all: 16 | - message: "ECS services should not have public IP addresses assigned to them automatically" 17 | check: 18 | values: 19 | ~.network_configuration: 20 | (contains('$allowed-values', @.assign_public_ip)): false -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-service/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "eu-west-1" 3 | skip_credentials_validation = true 4 | skip_requesting_account_id = true 5 | skip_metadata_api_check = true 6 | access_key = "mock_access_key" 7 | secret_key = "mock_secret_key" 8 | } 9 | 10 | resource "aws_ecs_service" "mongo" { 11 | name = "mongodb" 12 | cluster = "id" 13 | task_definition = "aws_arn" 14 | desired_count = 3 15 | 16 | ordered_placement_strategy { 17 | type = "binpack" 18 | field = "cpu" 19 | } 20 | 21 | load_balancer { 22 | container_name = "mongo" 23 | container_port = 8080 24 | } 25 | 26 | network_configuration { 27 | subnets = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"] 28 | assign_public_ip = true 29 | } 30 | 31 | launch_type = "FARGATE" 32 | platform_version = "LATEST" 33 | 34 | placement_constraints { 35 | type = "memberOf" 36 | expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]" 37 | } 38 | } -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-task-definition/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_ecs_task_definition" "service" { 2 | family = "service" 3 | container_definitions = jsonencode([ 4 | { 5 | name = "first" 6 | image = "service-first" 7 | cpu = 10 8 | memory = 512 9 | essential = true 10 | readonlyRootFilesystem = true 11 | portMappings = [ 12 | { 13 | containerPort = 80 14 | hostPort = 80 15 | } 16 | ] 17 | }, 18 | { 19 | name = "second" 20 | image = "service-second" 21 | cpu = 10 22 | memory = 256 23 | essential = true 24 | readonlyRootFilesystem = true 25 | portMappings = [ 26 | { 27 | containerPort = 443 28 | hostPort = 443 29 | } 30 | ] 31 | } 32 | ]) 33 | 34 | volume { 35 | name = "service-storage" 36 | host_path = "/ecs/service-storage" 37 | } 38 | 39 | placement_constraints { 40 | type = "memberOf" 41 | expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]" 42 | } 43 | } -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-task-definition/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - PASSED (POLICY=fs-read-only, RULE=require-fs-read-only) 6 | Done 7 | -------------------------------------------------------------------------------- /test/commands/scan/tf-ecs-task-definition/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: fs-read-only 5 | spec: 6 | rules: 7 | - name: require-fs-read-only 8 | match: 9 | any: 10 | - type: aws_ecs_task_definition 11 | assert: 12 | any: 13 | - message: ECS containers only have read-only access to root filesystems 14 | check: 15 | values: 16 | ~.(json_parse(container_definitions)): 17 | readonlyRootFilesystem: true 18 | 19 | -------------------------------------------------------------------------------- /test/commands/scan/tf-plan/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - FAILED (POLICY=required-s3-tags, RULE=require-team-tag, ID=aws_s3_bucket.example) 6 | -> Bucket `example` (aws_s3_bucket.example) does not have the required tags {"Team":"Kyverno"} (CHECK=spec.rules[0].assert.all[0]) 7 | -> Invalid value: map[string]interface {}{"Environment":"Dev", "Name":"My bucket"}: Expected value: map[string]interface {}{"Team":"Kyverno"} (PATH=values.tags) 8 | Done 9 | -------------------------------------------------------------------------------- /test/commands/scan/tf-plan/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: required-s3-tags 5 | spec: 6 | rules: 7 | - name: require-team-tag 8 | identifier: "address" 9 | match: 10 | any: 11 | - type: aws_s3_bucket 12 | context: 13 | - name: tags 14 | variable: 15 | Team: Kyverno 16 | assert: 17 | all: 18 | - message: Bucket `{{ name }}` ({{ address }}) does not have the required tags {{ to_string($tags) }} 19 | check: 20 | values: 21 | tags: ($tags) 22 | -------------------------------------------------------------------------------- /test/commands/scan/tf-s3/bucket.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | aws = { 4 | source = "hashicorp/aws" 5 | version = "~> 4.16" 6 | } 7 | } 8 | 9 | required_version = ">= 1.2.0" 10 | } 11 | 12 | provider "aws" { 13 | region = "us-west-2" 14 | } 15 | 16 | resource "aws_s3_bucket" "example" { 17 | bucket = "my-tf-test-bucket" 18 | 19 | tags = { 20 | Name = "My bucket" 21 | Environment = "Dev" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /test/commands/scan/tf-s3/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - FAILED (POLICY=s3, RULE=check-tags) 6 | -> (CHECK=spec.rules[0].assert.all[0]) 7 | -> Invalid value: false: Expected value: true (PATH=planned_values.root_module.~.resources[0].values.(keys(tags_all)).(contains(@, 'Team'))) 8 | Done 9 | -------------------------------------------------------------------------------- /test/commands/scan/tf-s3/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: s3 5 | spec: 6 | rules: 7 | - name: check-tags 8 | assert: 9 | all: 10 | - check: 11 | planned_values: 12 | root_module: 13 | ~.resources: 14 | values: 15 | (keys(tags_all)): 16 | (contains(@, 'Environment')): true 17 | (contains(@, 'Name')): true 18 | (contains(@, 'Team')): true -------------------------------------------------------------------------------- /test/commands/scan/wildcard/out.txt: -------------------------------------------------------------------------------- 1 | Loading policies ... 2 | Loading payload ... 3 | Pre processing ... 4 | Running ( evaluating 1 resource against 1 policy ) ... 5 | - FAILED (POLICY=required-s3-tags, RULE=require-team-tag, ID=bucket1) 6 | -> (CHECK=spec.rules[0].assert.all[0]) 7 | -> Invalid value: true: Expected value: false (PATH=tags.(wildcard('?*', Team))) 8 | Done 9 | -------------------------------------------------------------------------------- /test/commands/scan/wildcard/payload.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "aws_s3_bucket", 3 | "name": "bucket1", 4 | "tags": { 5 | "Team": "A-Team" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /test/commands/scan/wildcard/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: required-s3-tags 5 | spec: 6 | rules: 7 | - name: require-team-tag 8 | identifier: "name" 9 | match: 10 | any: 11 | - type: aws_s3_bucket 12 | exclude: 13 | any: 14 | - (wildcard('bypass-*', name)): true 15 | assert: 16 | all: 17 | - check: 18 | tags: 19 | (wildcard('?*', Team)): false 20 | -------------------------------------------------------------------------------- /test/commands/version/help.txt: -------------------------------------------------------------------------------- 1 | Print the version informations 2 | 3 | Usage: 4 | version [flags] 5 | 6 | Examples: 7 | # Print version infos 8 | version 9 | 10 | 11 | Flags: 12 | -h, --help help for version 13 | -------------------------------------------------------------------------------- /test/commands/version/out.txt: -------------------------------------------------------------------------------- 1 | Version: 2 | Time: --- 3 | Git commit ID: --- 4 | -------------------------------------------------------------------------------- /test/policy/bad-rule.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: 6 | rules: 7 | - name: pod-no-latest 8 | # matches instead of match 9 | matches: 10 | any: 11 | - apiVersion: v1 12 | kind: Pod 13 | assert: 14 | all: 15 | - check: 16 | spec: 17 | ~foo.containers->foos: 18 | (at($foos, $foo).image)->foo: 19 | # an image tag is required 20 | (contains($foo, ':')): true 21 | # using a mutable image tag e.g. 'latest' is not allowed 22 | (ends_with($foo, ':latest')): false -------------------------------------------------------------------------------- /test/policy/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: default 5 | data: 6 | foo: bar -------------------------------------------------------------------------------- /test/policy/empty.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyverno/kyverno-json/bd9932a0f94638621565e4ebf503cffeb76862f3/test/policy/empty.yaml -------------------------------------------------------------------------------- /test/policy/multiple.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test-1 5 | spec: 6 | rules: [] 7 | --- 8 | apiVersion: json.kyverno.io/v1alpha1 9 | kind: ValidatingPolicy 10 | metadata: 11 | name: test-2 12 | spec: 13 | rules: [] 14 | -------------------------------------------------------------------------------- /test/policy/no-rules.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: {} 6 | -------------------------------------------------------------------------------- /test/policy/no-spec.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | -------------------------------------------------------------------------------- /test/policy/ok.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: 6 | rules: 7 | - name: pod-no-latest 8 | match: 9 | any: 10 | - apiVersion: v1 11 | kind: Pod 12 | assert: 13 | all: 14 | - check: 15 | spec: 16 | ~foo.containers->foos: 17 | (at($foos, $foo).image)->foo: 18 | # an image tag is required 19 | (contains($foo, ':')): true 20 | # using a mutable image tag e.g. 'latest' is not allowed 21 | (ends_with($foo, ':latest')): false -------------------------------------------------------------------------------- /test/policy/rule-name-missing.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: json.kyverno.io/v1alpha1 2 | kind: ValidatingPolicy 3 | metadata: 4 | name: test 5 | spec: 6 | rules: 7 | - match: 8 | any: 9 | - apiVersion: v1 10 | kind: Pod 11 | assert: 12 | all: 13 | - check: 14 | spec: 15 | ~foo.containers->foos: 16 | (at($foos, $foo).image)->foo: 17 | # an image tag is required 18 | (contains($foo, ':')): true 19 | # using a mutable image tag e.g. 'latest' is not allowed 20 | (ends_with($foo, ':latest')): false -------------------------------------------------------------------------------- /wasm/main.go: -------------------------------------------------------------------------------- 1 | //go:build js && wasm 2 | 3 | package main 4 | 5 | import ( 6 | "context" 7 | "os/signal" 8 | "syscall" 9 | 10 | "github.com/gin-gonic/gin" 11 | "github.com/kyverno/kyverno-json/pkg/server" 12 | "github.com/kyverno/kyverno-json/pkg/server/playground" 13 | ) 14 | 15 | func main() { 16 | // initialise gin framework 17 | gin.SetMode(gin.DebugMode) 18 | // create server 19 | router, err := server.New(true, true) 20 | if err != nil { 21 | panic(err) 22 | } 23 | // register playground routes 24 | if err := playground.AddRoutes(router.Group(server.PlaygroundPrefix)); err != nil { 25 | panic(err) 26 | } 27 | // run server 28 | ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM) 29 | defer stop() 30 | server.RunWasm(ctx, router) 31 | <-ctx.Done() 32 | stop() 33 | } 34 | -------------------------------------------------------------------------------- /website/apis/markdown/type.tpl: -------------------------------------------------------------------------------- 1 | {{- define "type" }} 2 | ## `{{ .Name.Name }}` {#{{ .Anchor }}} 3 | {{- if eq .Kind "Alias" }} 4 | 5 | (Alias of `{{ .Underlying }}`) 6 | {{- end }} 7 | {{- with .References }} 8 | 9 | **Appears in:** 10 | {{ range . }} 11 | {{- if or .Referenced .IsExported }} 12 | - [{{ .DisplayName }}]({{ .Link }}) 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | {{- if .GetComment }} 17 | 18 | {{ .GetComment }} 19 | {{- end }} 20 | {{- if .GetMembers }} 21 | 22 | | Field | Type | Required | Inline | Description | 23 | |---|---|---|---|---| 24 | {{- /* . is a apiType */}} 25 | {{- if .IsExported }} 26 | {{- /* Add apiVersion and kind rows if deemed necessary */}} 27 | | `apiVersion` | `string` | :white_check_mark: | | `{{- .APIGroup -}}` | 28 | | `kind` | `string` | :white_check_mark: | | `{{- .Name.Name -}}` | 29 | {{- end }} 30 | {{- /* The actual list of members is in the following template */}} 31 | {{- template "members" . }} 32 | {{- end }} 33 | {{ end }} 34 | -------------------------------------------------------------------------------- /website/docs/catalog/index.md: -------------------------------------------------------------------------------- 1 | # Policy catalog 2 | 3 | The `kyverno-json` policy catalog contains curated policies to be reused. 4 | 5 | You can share your policies with the community by opening a pull request [here](https://github.com/kyverno/kyverno-json). 6 | 7 | ## Policies indexed by tags 8 | 9 | [TAGS] -------------------------------------------------------------------------------- /website/docs/catalog/policies/ecs/policy-1.md: -------------------------------------------------------------------------------- 1 | 2 | # policy-1 3 | 4 | ## Description 5 | 6 | None 7 | 8 | ## Install 9 | 10 | ### In cluster 11 | 12 | ```bash 13 | kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml 14 | ``` 15 | 16 | ### Download locally 17 | 18 | ```bash 19 | curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml 20 | ``` 21 | 22 | ## Manifest 23 | 24 | [Original policy](https://github.com/kyverno/kyverno-json/blob/main/catalog/ecs/policy-1.yaml) 25 | [Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml) 26 | 27 | ```yaml 28 | apiVersion: json.kyverno.io/v1alpha1 29 | kind: ValidatingPolicy 30 | metadata: 31 | creationTimestamp: null 32 | name: test 33 | spec: 34 | rules: 35 | - assert: 36 | all: 37 | - check: 38 | foo: 39 | /(bar)/: 10 40 | name: foo-bar 41 | ``` 42 | -------------------------------------------------------------------------------- /website/docs/cli/commands/kyverno-json.md: -------------------------------------------------------------------------------- 1 | ## kyverno-json 2 | 3 | kyverno-json is a CLI tool to apply policies to json resources. 4 | 5 | ### Synopsis 6 | 7 | kyverno-json is a CLI tool to apply policies to json resources. 8 | 9 | 10 | ``` 11 | kyverno-json [flags] 12 | ``` 13 | 14 | ### Options 15 | 16 | ``` 17 | -h, --help help for kyverno-json 18 | ``` 19 | 20 | ### SEE ALSO 21 | 22 | * [kyverno-json completion](kyverno-json_completion.md) - Generate the autocompletion script for the specified shell 23 | * [kyverno-json docs](kyverno-json_docs.md) - Generates reference documentation. 24 | * [kyverno-json jp](kyverno-json_jp.md) - Provides a command-line interface to JMESPath, enhanced with custom functions. 25 | * [kyverno-json playground](kyverno-json_playground.md) - playground 26 | * [kyverno-json scan](kyverno-json_scan.md) - scan 27 | * [kyverno-json serve](kyverno-json_serve.md) - serve 28 | * [kyverno-json version](kyverno-json_version.md) - Print the version informations 29 | 30 | -------------------------------------------------------------------------------- /website/docs/cli/commands/kyverno-json_completion.md: -------------------------------------------------------------------------------- 1 | ## kyverno-json completion 2 | 3 | Generate the autocompletion script for the specified shell 4 | 5 | ### Synopsis 6 | 7 | Generate the autocompletion script for kyverno-json for the specified shell. 8 | See each sub-command's help for details on how to use the generated script. 9 | 10 | 11 | ### Options 12 | 13 | ``` 14 | -h, --help help for completion 15 | ``` 16 | 17 | ### SEE ALSO 18 | 19 | * [kyverno-json](kyverno-json.md) - kyverno-json is a CLI tool to apply policies to json resources. 20 | * [kyverno-json completion bash](kyverno-json_completion_bash.md) - Generate the autocompletion script for bash 21 | * [kyverno-json completion fish](kyverno-json_completion_fish.md) - Generate the autocompletion script for fish 22 | * [kyverno-json completion powershell](kyverno-json_completion_powershell.md) - Generate the autocompletion script for powershell 23 | * [kyverno-json completion zsh](kyverno-json_completion_zsh.md) - Generate the autocompletion script for zsh 24 | 25 | -------------------------------------------------------------------------------- /website/docs/cli/commands/kyverno-json_completion_fish.md: -------------------------------------------------------------------------------- 1 | ## kyverno-json completion fish 2 | 3 | Generate the autocompletion script for fish 4 | 5 | ### Synopsis 6 | 7 | Generate the autocompletion script for the fish shell. 8 | 9 | To load completions in your current shell session: 10 | 11 | kyverno-json completion fish | source 12 | 13 | To load completions for every new session, execute once: 14 | 15 | kyverno-json completion fish > ~/.config/fish/completions/kyverno-json.fish 16 | 17 | You will need to start a new shell for this setup to take effect. 18 | 19 | 20 | ``` 21 | kyverno-json completion fish [flags] 22 | ``` 23 | 24 | ### Options 25 | 26 | ``` 27 | -h, --help help for fish 28 | --no-descriptions disable completion descriptions 29 | ``` 30 | 31 | ### SEE ALSO 32 | 33 | * [kyverno-json completion](kyverno-json_completion.md) - Generate the autocompletion script for the specified shell 34 | 35 | -------------------------------------------------------------------------------- /website/docs/cli/commands/kyverno-json_completion_powershell.md: -------------------------------------------------------------------------------- 1 | ## kyverno-json completion powershell 2 | 3 | Generate the autocompletion script for powershell 4 | 5 | ### Synopsis 6 | 7 | Generate the autocompletion script for powershell. 8 | 9 | To load completions in your current shell session: 10 | 11 | kyverno-json completion powershell | Out-String | Invoke-Expression 12 | 13 | To load completions for every new session, add the output of the above command 14 | to your powershell profile. 15 | 16 | 17 | ``` 18 | kyverno-json completion powershell [flags] 19 | ``` 20 | 21 | ### Options 22 | 23 | ``` 24 | -h, --help help for powershell 25 | --no-descriptions disable completion descriptions 26 | ``` 27 | 28 | ### SEE ALSO 29 | 30 | * [kyverno-json completion](kyverno-json_completion.md) - Generate the autocompletion script for the specified shell 31 | 32 | -------------------------------------------------------------------------------- /website/docs/cli/commands/kyverno-json_docs.md: -------------------------------------------------------------------------------- 1 | ## kyverno-json docs 2 | 3 | Generates reference documentation. 4 | 5 | ### Synopsis 6 | 7 | Generates reference documentation. 8 | 9 | The docs command generates CLI reference documentation. 10 | It can be used to generate simple markdown files or markdown to be used for the website. 11 | 12 | ``` 13 | kyverno-json docs [flags] 14 | ``` 15 | 16 | ### Examples 17 | 18 | ``` 19 | # Generate simple markdown documentation 20 | kyverno-json docs -o . --autogenTag=false 21 | 22 | # Generate website documentation 23 | kyverno-json docs -o . --website 24 | 25 | ``` 26 | 27 | ### Options 28 | 29 | ``` 30 | --autogenTag Determines if the generated docs should contain a timestamp (default true) 31 | -h, --help help for docs 32 | -o, --output string Output path (default ".") 33 | --website Website version 34 | ``` 35 | 36 | ### SEE ALSO 37 | 38 | * [kyverno-json](kyverno-json.md) - kyverno-json is a CLI tool to apply policies to json resources. 39 | 40 | -------------------------------------------------------------------------------- /website/docs/cli/commands/kyverno-json_jp_function.md: -------------------------------------------------------------------------------- 1 | ## kyverno-json jp function 2 | 3 | Provides function informations. 4 | 5 | ### Synopsis 6 | 7 | Provides function informations. 8 | 9 | 10 | ``` 11 | kyverno-json jp function [function_name]... [flags] 12 | ``` 13 | 14 | ### Examples 15 | 16 | ``` 17 | # List functions 18 | kyverno-json jp function 19 | 20 | # Get function infos 21 | kyverno-json jp function truncate 22 | 23 | ``` 24 | 25 | ### Options 26 | 27 | ``` 28 | -h, --help help for function 29 | ``` 30 | 31 | ### SEE ALSO 32 | 33 | * [kyverno-json jp](kyverno-json_jp.md) - Provides a command-line interface to JMESPath, enhanced with custom functions. 34 | 35 | -------------------------------------------------------------------------------- /website/docs/cli/commands/kyverno-json_jp_parse.md: -------------------------------------------------------------------------------- 1 | ## kyverno-json jp parse 2 | 3 | Parses jmespath expression and prints corresponding AST. 4 | 5 | ### Synopsis 6 | 7 | Parses jmespath expression and prints corresponding AST. 8 | 9 | 10 | ``` 11 | kyverno-json jp parse [-f file|expression]... [flags] 12 | ``` 13 | 14 | ### Examples 15 | 16 | ``` 17 | # Parse expression 18 | kyverno-json jp parse 'request.object.metadata.name | truncate(@, `9`)' 19 | 20 | # Parse expression from a file 21 | kyverno-json jp parse -f my-file 22 | 23 | # Parse expression from stdin 24 | kyverno-json jp parse 25 | 26 | # Parse multiple expressionxs 27 | kyverno-json jp parse -f my-file1 -f my-file-2 'request.object.metadata.name | truncate(@, `9`)' 28 | 29 | ``` 30 | 31 | ### Options 32 | 33 | ``` 34 | -f, --file strings Read input from a JSON or YAML file instead of stdin 35 | -h, --help help for parse 36 | ``` 37 | 38 | ### SEE ALSO 39 | 40 | * [kyverno-json jp](kyverno-json_jp.md) - Provides a command-line interface to JMESPath, enhanced with custom functions. 41 | 42 | -------------------------------------------------------------------------------- /website/docs/cli/commands/kyverno-json_playground.md: -------------------------------------------------------------------------------- 1 | ## kyverno-json playground 2 | 3 | playground 4 | 5 | ### Synopsis 6 | 7 | Serve playground 8 | 9 | ``` 10 | kyverno-json playground [flags] 11 | ``` 12 | 13 | ### Options 14 | 15 | ``` 16 | --gin-cors enable gin cors (default true) 17 | --gin-log enable gin logger (default true) 18 | --gin-max-body-size int gin max body size (default 2097152) 19 | --gin-mode string gin run mode (default "release") 20 | -h, --help help for playground 21 | --server-host string server host (default "0.0.0.0") 22 | --server-port int server port (default 8080) 23 | ``` 24 | 25 | ### SEE ALSO 26 | 27 | * [kyverno-json](kyverno-json.md) - kyverno-json is a CLI tool to apply policies to json resources. 28 | 29 | -------------------------------------------------------------------------------- /website/docs/cli/commands/kyverno-json_scan.md: -------------------------------------------------------------------------------- 1 | ## kyverno-json scan 2 | 3 | scan 4 | 5 | ### Synopsis 6 | 7 | Apply policies to json resources 8 | 9 | ``` 10 | kyverno-json scan [flags] 11 | ``` 12 | 13 | ### Options 14 | 15 | ``` 16 | --bindings string Bindings file (json or yaml file). Top level keys will be interpreted as bindings names. 17 | -h, --help help for scan 18 | --labels strings Labels selectors for policies 19 | --output string Output format (text or json) (default "text") 20 | --payload string Path to payload (json or yaml file) 21 | --policy strings Path to kyverno-json policies 22 | --pre-process strings JMESPath expression used to pre process payload 23 | ``` 24 | 25 | ### SEE ALSO 26 | 27 | * [kyverno-json](kyverno-json.md) - kyverno-json is a CLI tool to apply policies to json resources. 28 | 29 | -------------------------------------------------------------------------------- /website/docs/cli/commands/kyverno-json_version.md: -------------------------------------------------------------------------------- 1 | ## kyverno-json version 2 | 3 | Print the version informations 4 | 5 | ### Synopsis 6 | 7 | Print the version informations 8 | 9 | 10 | ``` 11 | kyverno-json version [flags] 12 | ``` 13 | 14 | ### Examples 15 | 16 | ``` 17 | # Print version infos 18 | kyverno-json version 19 | 20 | ``` 21 | 22 | ### Options 23 | 24 | ``` 25 | -h, --help help for version 26 | ``` 27 | 28 | ### SEE ALSO 29 | 30 | * [kyverno-json](kyverno-json.md) - kyverno-json is a CLI tool to apply policies to json resources. 31 | 32 | -------------------------------------------------------------------------------- /website/docs/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | template: home.html 3 | title: kyverno-json 4 | --- 5 | -------------------------------------------------------------------------------- /website/docs/intro.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | `kyverno-json` extends Kyverno policies to perform simple and efficient validation of data in JSON or YAML format. With `kyverno-json`, you can now use Kyverno policies to validate: 4 | 5 | - Terraform files 6 | - Dockerfiles 7 | - Cloud configurations 8 | - Authorization requests 9 | 10 | Simply convert your runtime or configuration data to JSON, and use Kyverno to audit or enforce policies for security and best practices compliance. 11 | 12 | `kyverno-json` can be run as a: 13 | 14 | 1. [A Command Line Interface (CLI)](./cli/index.md) 15 | 2. [A web application with a REST API](./webapp/index.md) 16 | 3. [A Golang library](./go-library/index.md) 17 | -------------------------------------------------------------------------------- /website/docs/jp.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | 3 | `kyverno-json` uses [JMESPath community edition](https://jmespath.site/), a modern JMESPath implementation with lexical scopes support. 4 | 5 | The current *payload*, *policy* and *rule* are always available using the following builtin bindings: 6 | 7 | | Binding | Usage | 8 | |---|---| 9 | | `$payload` | Current payload being analysed | 10 | | `$policy` | Current policy being executed | 11 | | `$rule` | Current rule being evaluated | 12 | 13 | !!! warning 14 | 15 | No protection is made to prevent you from overriding those bindings. 16 | -------------------------------------------------------------------------------- /website/docs/playground.md: -------------------------------------------------------------------------------- 1 | # Playground 2 | 3 | The `kyverno-json` playground can be used to test `kyverno-json` directly in your web browser. -------------------------------------------------------------------------------- /website/docs/static/extra.css: -------------------------------------------------------------------------------- 1 | body > header > nav > a > img { 2 | border-radius: 10%; 3 | border: 1px solid #555; 4 | } -------------------------------------------------------------------------------- /website/docs/static/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyverno/kyverno-json/bd9932a0f94638621565e4ebf503cffeb76862f3/website/docs/static/favicon.ico -------------------------------------------------------------------------------- /website/docs/static/kyverno-json-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyverno/kyverno-json/bd9932a0f94638621565e4ebf503cffeb76862f3/website/docs/static/kyverno-json-logo.png -------------------------------------------------------------------------------- /website/playground/assets/img/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyverno/kyverno-json/bd9932a0f94638621565e4ebf503cffeb76862f3/website/playground/assets/img/favicon.ico -------------------------------------------------------------------------------- /website/playground/assets/img/kyverno-json-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyverno/kyverno-json/bd9932a0f94638621565e4ebf503cffeb76862f3/website/playground/assets/img/kyverno-json-logo.png -------------------------------------------------------------------------------- /website/playground/sw.js: -------------------------------------------------------------------------------- 1 | importScripts('dist/wasm_exec.js') 2 | importScripts('https://cdn.jsdelivr.net/gh/nlepage/go-wasm-http-server@v1.1.0/sw.js') 3 | 4 | // Skip installed stage and jump to activating stage 5 | addEventListener('install', (event) => { 6 | event.waitUntil(skipWaiting()) 7 | }) 8 | 9 | // Start controlling clients as soon as the SW is activated 10 | addEventListener('activate', event => { 11 | event.waitUntil(clients.claim()) 12 | }) 13 | 14 | registerWasmHTTPListener('assets/main.wasm', { base: 'api' }) 15 | -------------------------------------------------------------------------------- /website/policy.gotmpl: -------------------------------------------------------------------------------- 1 | {{- with .Tags -}} 2 | --- 3 | tags: 4 | {{- range . }} 5 | - {{ . }} 6 | {{- end }} 7 | --- 8 | {{- end }} 9 | # {{ .Title }} 10 | 11 | ## Description 12 | 13 | {{ .Description }} 14 | 15 | ## Install 16 | 17 | ### In cluster 18 | 19 | ```bash 20 | kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/{{ .Path }} 21 | ``` 22 | 23 | ### Download locally 24 | 25 | ```bash 26 | curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/{{ .Path }} 27 | ``` 28 | 29 | ## Manifest 30 | 31 | [Original policy](https://github.com/kyverno/kyverno-json/blob/main/{{ .Path }}) 32 | [Raw](https://raw.githubusercontent.com/kyverno/kyverno-json/main/{{ .Path }}) 33 | 34 | ```yaml 35 | {{ .Manifest }} 36 | ``` 37 | --------------------------------------------------------------------------------