Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add PDB fields in the policy server spec. #698

Merged
merged 1 commit into from
Apr 4, 2024
Merged

feat: add PDB fields in the policy server spec. #698

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 24 additions & 24 deletions config/crd/bases/policies.kubewarden.io_admissionpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,20 +87,20 @@ spec:
the API request to be rejected. The default behaviour is "Fail"
type: string
matchPolicy:
description: "matchPolicy defines how the \"rules\" list is used to
match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".
\n - Exact: match a request only if it exactly matches a specified
description: 'matchPolicy defines how the "rules" list is used to
match incoming requests. Allowed values are "Exact" or "Equivalent".
<ul> <li> Exact: match a request only if it exactly matches a specified
rule. For example, if deployments can be modified via apps/v1, apps/v1beta1,
and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to
apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
\n - Equivalent: match a request if modifies a resource listed in
rules, even via another API group or version. For example, if deployments
and extensions/v1beta1, but "rules" only included `apiGroups:["apps"],
apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1
or extensions/v1beta1 would not be sent to the webhook. </li> <li>
Equivalent: match a request if modifies a resource listed in rules,
even via another API group or version. For example, if deployments
can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"],
resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. \n Defaults
to \"Equivalent\""
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"],
resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. </li> </ul>
Defaults to "Equivalent"'
type: string
mode:
default: protect
Expand Down Expand Up @@ -425,20 +425,20 @@ spec:
the API request to be rejected. The default behaviour is "Fail"
type: string
matchPolicy:
description: "matchPolicy defines how the \"rules\" list is used to
match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".
\n - Exact: match a request only if it exactly matches a specified
description: 'matchPolicy defines how the "rules" list is used to
match incoming requests. Allowed values are "Exact" or "Equivalent".
<ul> <li> Exact: match a request only if it exactly matches a specified
rule. For example, if deployments can be modified via apps/v1, apps/v1beta1,
and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to
apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
\n - Equivalent: match a request if modifies a resource listed in
rules, even via another API group or version. For example, if deployments
and extensions/v1beta1, but "rules" only included `apiGroups:["apps"],
apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1
or extensions/v1beta1 would not be sent to the webhook. </li> <li>
Equivalent: match a request if modifies a resource listed in rules,
even via another API group or version. For example, if deployments
can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"],
resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. \n Defaults
to \"Equivalent\""
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"],
resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. </li> </ul>
Defaults to "Equivalent"'
type: string
mode:
default: protect
Expand Down
118 changes: 68 additions & 50 deletions config/crd/bases/policies.kubewarden.io_clusteradmissionpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,20 +108,20 @@ spec:
the API request to be rejected. The default behaviour is "Fail"
type: string
matchPolicy:
description: "matchPolicy defines how the \"rules\" list is used to
match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".
\n - Exact: match a request only if it exactly matches a specified
description: 'matchPolicy defines how the "rules" list is used to
match incoming requests. Allowed values are "Exact" or "Equivalent".
<ul> <li> Exact: match a request only if it exactly matches a specified
rule. For example, if deployments can be modified via apps/v1, apps/v1beta1,
and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to
apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
\n - Equivalent: match a request if modifies a resource listed in
rules, even via another API group or version. For example, if deployments
and extensions/v1beta1, but "rules" only included `apiGroups:["apps"],
apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1
or extensions/v1beta1 would not be sent to the webhook. </li> <li>
Equivalent: match a request if modifies a resource listed in rules,
even via another API group or version. For example, if deployments
can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"],
resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. \n Defaults
to \"Equivalent\""
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"],
resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. </li> </ul>
Defaults to "Equivalent"'
type: string
mode:
default: protect
Expand All @@ -147,22 +147,31 @@ spec:
mutate incoming requests or not.
type: boolean
namespaceSelector:
description: "NamespaceSelector decides whether to run the webhook
description: 'NamespaceSelector decides whether to run the webhook
on an object based on whether the namespace for that object matches
the selector. If the object itself is a namespace, the matching
is performed on object.metadata.labels. If the object is another
cluster scoped resource, it never skips the webhook. \n For example,
to run the webhook on any objects whose namespace is not associated
with \"runlevel\" of \"0\" or \"1\"; you will set the selector
as follows: \"namespaceSelector\": { \"matchExpressions\": [ { \"key\":
\"runlevel\", \"operator\": \"NotIn\", \"values\": [ \"0\", \"1\"
] } ] } \n If instead you want to only run the webhook on any objects
whose namespace is associated with the \"environment\" of \"prod\"
or \"staging\"; you will set the selector as follows: \"namespaceSelector\":
{ \"matchExpressions\": [ { \"key\": \"environment\", \"operator\":
\"In\", \"values\": [ \"prod\", \"staging\" ] } ] } \n See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors. \n Default to the empty LabelSelector,
which matches everything."
cluster scoped resource, it never skips the webhook. <br/><br/>
For example, to run the webhook on any objects whose namespace is
not associated with "runlevel" of "0" or "1"; you will set the
selector as follows: <pre> "namespaceSelector": \{<br/> &nbsp;&nbsp;"matchExpressions":
[<br/> &nbsp;&nbsp;&nbsp;&nbsp;\{<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key":
"runlevel",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator":
"NotIn",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"0",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"1"<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/> &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
&nbsp;&nbsp;]<br/> \} </pre> If instead you want to only run the
webhook on any objects whose namespace is associated with the "environment"
of "prod" or "staging"; you will set the selector as follows: <pre>
"namespaceSelector": \{<br/> &nbsp;&nbsp;"matchExpressions": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;\{<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key":
"environment",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator":
"In",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"prod",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"staging"<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/> &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
&nbsp;&nbsp;]<br/> \} </pre> See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors. <br/><br/> Default to the
empty LabelSelector, which matches everything.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
Expand Down Expand Up @@ -506,20 +515,20 @@ spec:
the API request to be rejected. The default behaviour is "Fail"
type: string
matchPolicy:
description: "matchPolicy defines how the \"rules\" list is used to
match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".
\n - Exact: match a request only if it exactly matches a specified
description: 'matchPolicy defines how the "rules" list is used to
match incoming requests. Allowed values are "Exact" or "Equivalent".
<ul> <li> Exact: match a request only if it exactly matches a specified
rule. For example, if deployments can be modified via apps/v1, apps/v1beta1,
and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to
apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
\n - Equivalent: match a request if modifies a resource listed in
rules, even via another API group or version. For example, if deployments
and extensions/v1beta1, but "rules" only included `apiGroups:["apps"],
apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1
or extensions/v1beta1 would not be sent to the webhook. </li> <li>
Equivalent: match a request if modifies a resource listed in rules,
even via another API group or version. For example, if deployments
can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"],
resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. \n Defaults
to \"Equivalent\""
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"],
resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. </li> </ul>
Defaults to "Equivalent"'
type: string
mode:
default: protect
Expand All @@ -544,22 +553,31 @@ spec:
mutate incoming requests or not.
type: boolean
namespaceSelector:
description: "NamespaceSelector decides whether to run the webhook
description: 'NamespaceSelector decides whether to run the webhook
on an object based on whether the namespace for that object matches
the selector. If the object itself is a namespace, the matching
is performed on object.metadata.labels. If the object is another
cluster scoped resource, it never skips the webhook. \n For example,
to run the webhook on any objects whose namespace is not associated
with \"runlevel\" of \"0\" or \"1\"; you will set the selector
as follows: \"namespaceSelector\": { \"matchExpressions\": [ { \"key\":
\"runlevel\", \"operator\": \"NotIn\", \"values\": [ \"0\", \"1\"
] } ] } \n If instead you want to only run the webhook on any objects
whose namespace is associated with the \"environment\" of \"prod\"
or \"staging\"; you will set the selector as follows: \"namespaceSelector\":
{ \"matchExpressions\": [ { \"key\": \"environment\", \"operator\":
\"In\", \"values\": [ \"prod\", \"staging\" ] } ] } \n See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors. \n Default to the empty LabelSelector,
which matches everything."
cluster scoped resource, it never skips the webhook. <br/><br/>
For example, to run the webhook on any objects whose namespace is
not associated with "runlevel" of "0" or "1"; you will set the
selector as follows: <pre> "namespaceSelector": \{<br/> &nbsp;&nbsp;"matchExpressions":
[<br/> &nbsp;&nbsp;&nbsp;&nbsp;\{<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key":
"runlevel",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator":
"NotIn",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"0",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"1"<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/> &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
&nbsp;&nbsp;]<br/> \} </pre> If instead you want to only run the
webhook on any objects whose namespace is associated with the "environment"
of "prod" or "staging"; you will set the selector as follows: <pre>
"namespaceSelector": \{<br/> &nbsp;&nbsp;"matchExpressions": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;\{<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key":
"environment",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator":
"In",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"prod",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"staging"<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/> &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
&nbsp;&nbsp;]<br/> \} </pre> See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors. <br/><br/> Default to the
empty LabelSelector, which matches everything.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
Expand Down
Loading
Loading