diff --git a/Makefile b/Makefile index 7898ff86a8e..64071d4fdf4 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ AUDIT_CONNECTION ?= "audit" AUDIT_CHANNEL ?= "audit" LOG_LEVEL ?= "INFO" -VERSION := v3.16.0-beta.1 +VERSION := v3.16.0-beta.2 KIND_VERSION ?= 0.17.0 # note: k8s version pinned since KIND image availability lags k8s releases diff --git a/charts/gatekeeper/Chart.yaml b/charts/gatekeeper/Chart.yaml index 67d82e13df1..f690a0fba1c 100644 --- a/charts/gatekeeper/Chart.yaml +++ b/charts/gatekeeper/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.16.0-beta.1 +version: 3.16.0-beta.2 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.16.0-beta.1 +appVersion: v3.16.0-beta.2 diff --git a/charts/gatekeeper/README.md b/charts/gatekeeper/README.md index 7d77041443b..7430a33cf2a 100644 --- a/charts/gatekeeper/README.md +++ b/charts/gatekeeper/README.md @@ -74,7 +74,7 @@ information._ | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -97,7 +97,7 @@ information._ | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | @@ -107,10 +107,10 @@ information._ | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -142,6 +142,7 @@ information._ | validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | | validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | | validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| validatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` | | validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | | validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | | validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | @@ -158,18 +159,21 @@ information._ | mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | | mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | | mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| mutatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` | | mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | | mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` | +| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | logDenies | Log detailed info on each deny | `false` | | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.16.0-beta.1` | +| image.release | The image release tag to use | Current release version: `v3.16.0-beta.2` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/charts/gatekeeper/crds/assign-customresourcedefinition.yaml b/charts/gatekeeper/crds/assign-customresourcedefinition.yaml index 0221a194812..9cdb88b82db 100644 --- a/charts/gatekeeper/crds/assign-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assign-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assign.mutations.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -37,9 +46,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -59,21 +73,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -84,21 +117,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -110,29 +157,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -144,21 +208,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -176,17 +258,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -209,7 +297,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -239,7 +338,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -248,7 +349,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -271,10 +375,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -282,9 +395,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -304,21 +422,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -329,21 +466,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -355,29 +506,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -389,21 +557,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -421,17 +607,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -454,7 +646,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -484,7 +687,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -493,7 +698,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -516,10 +724,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -527,9 +744,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -549,21 +771,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -574,21 +815,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -600,29 +855,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -634,21 +906,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -666,17 +956,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -699,7 +995,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -729,7 +1036,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -738,7 +1047,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml b/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml index 197f2f17933..8a206ea3d50 100644 --- a/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assignimage.mutations.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: AssignImage is the Schema for the assignimage API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -37,9 +46,14 @@ spec: description: AssignImageSpec defines the desired state of AssignImage. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -59,21 +73,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -84,21 +117,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -110,29 +157,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -144,21 +208,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -169,17 +251,32 @@ spec: description: Parameters define the behavior of the mutator. properties: assignDomain: - description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + description: |- + AssignDomain sets the domain component on an image string. The trailing + slash should not be included. type: string assignPath: description: AssignPath sets the domain component on an image string. type: string assignTag: - description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + description: |- + AssignImage sets the image component on an image string. It must start + with a `:` or `@`. type: string pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -209,7 +306,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -218,7 +317,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml index 65c17ed3ae1..2c28c1c6d02 100644 --- a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assignmetadata.mutations.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -42,18 +51,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -64,21 +89,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -90,29 +129,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -124,21 +180,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -155,17 +229,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -192,7 +272,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -205,7 +287,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -214,7 +298,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -237,10 +324,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -253,18 +349,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -275,21 +387,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -301,29 +427,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -335,21 +478,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -366,17 +527,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -403,7 +570,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -416,7 +585,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -425,7 +596,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -448,10 +622,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -464,18 +647,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -486,21 +685,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -512,29 +725,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -546,21 +776,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -577,17 +825,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -614,7 +868,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -627,7 +883,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -636,7 +894,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/charts/gatekeeper/crds/config-customresourcedefinition.yaml b/charts/gatekeeper/crds/config-customresourcedefinition.yaml index 269ca95f9a2..2842c926d05 100644 --- a/charts/gatekeeper/crds/config-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/config-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: configs.config.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: Config is the Schema for the configs API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -38,8 +47,11 @@ spec: properties: excludedNamespaces: items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array processes: diff --git a/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml index c1e3199057d..566ac21f376 100644 --- a/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: constraintpodstatuses.status.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33,7 +42,10 @@ spec: description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. properties: constraintUID: - description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the constraint UID allows us to detect drift, such as + when a constraint has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string enforced: type: boolean diff --git a/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml index 271572bd7e8..f6290d17f7a 100644 --- a/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: constrainttemplatepodstatuses.status.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -58,7 +67,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: object diff --git a/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml b/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml index 0452edb7761..f5838f6e50e 100644 --- a/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: expansiontemplate.expansion.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: ExpansionTemplate is the Schema for the ExpansionTemplate API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -37,9 +46,13 @@ spec: description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + description: |- + ApplyTo lists the specific groups, versions and kinds of generator resources + which will be expanded. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -56,10 +69,15 @@ spec: type: object type: array enforcementAction: - description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + description: |- + EnforcementAction specifies the enforcement action to be used for resources + matching the ExpansionTemplate. Specifying an empty value will use the + enforcement action specified by the Constraint in violation. type: string generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + description: |- + GeneratedGVK specifies the GVK of the resources which the generator + resource creates. properties: group: type: string @@ -69,7 +87,10 @@ spec: type: string type: object templateSource: - description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + description: |- + TemplateSource specifies the source field on the generator resource to + use as the base for expanded resource. For Pod-creating generators, this + is usually spec.template type: string type: object status: @@ -101,7 +122,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: array @@ -117,10 +141,19 @@ spec: description: ExpansionTemplate is the Schema for the ExpansionTemplate API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -128,9 +161,13 @@ spec: description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + description: |- + ApplyTo lists the specific groups, versions and kinds of generator resources + which will be expanded. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -147,10 +184,15 @@ spec: type: object type: array enforcementAction: - description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + description: |- + EnforcementAction specifies the enforcement action to be used for resources + matching the ExpansionTemplate. Specifying an empty value will use the + enforcement action specified by the Constraint in violation. type: string generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + description: |- + GeneratedGVK specifies the GVK of the resources which the generator + resource creates. properties: group: type: string @@ -160,7 +202,10 @@ spec: type: string type: object templateSource: - description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + description: |- + TemplateSource specifies the source field on the generator resource to + use as the base for expanded resource. For Pod-creating generators, this + is usually spec.template type: string type: object status: @@ -192,7 +237,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: array diff --git a/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml index 8f49b4c5f7f..004abaf343d 100644 --- a/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: expansiontemplatepodstatuses.status.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,7 +63,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: object diff --git a/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml b/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml index 46574fd369f..188197df541 100644 --- a/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: modifyset.mutations.gatekeeper.sh @@ -19,13 +19,24 @@ spec: - name: v1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -37,9 +48,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -59,21 +75,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -84,21 +119,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -110,29 +159,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -144,21 +210,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -176,9 +260,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -212,7 +309,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -221,7 +320,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -241,13 +343,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -255,9 +368,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -277,21 +395,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -302,21 +439,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -328,29 +479,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -362,21 +530,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -394,9 +580,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -430,7 +629,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -439,7 +640,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -459,13 +663,24 @@ spec: - name: v1beta1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -473,9 +688,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -495,21 +715,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -520,21 +759,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -546,29 +799,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -580,21 +850,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -612,9 +900,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -648,7 +949,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -657,7 +960,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml index fd6a0f6dea6..931e05e147a 100644 --- a/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: mutatorpodstatuses.status.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: MutatorPodStatus is the Schema for the mutationpodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,7 +50,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -50,7 +61,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml b/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml index c5c51f9da4a..1ef7ce4154e 100644 --- a/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: syncsets.syncset.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: SyncSet defines which resources Gatekeeper will cache. The union of all SyncSets plus the syncOnly field of Gatekeeper's Config resource defines the sets of resources that will be synced. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 2455339d122..df9807a6d96 100644 --- a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -72,6 +72,8 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} + - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --vap-enforcement={{ .Values.vapEnforcement }} {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} {{- range .Values.metricsBackends}} diff --git a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml index 2693455e989..e41f96c9790 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml b/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml index 1018dcdb667..72d7513baaf 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 5705f56796a..c3cc122851a 100644 --- a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -24,6 +24,9 @@ webhooks: path: /v1/mutate {{- end }} failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} + {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }} + matchConditions: {{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }} + {{- end }} matchPolicy: Exact name: mutation.gatekeeper.sh namespaceSelector: diff --git a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index 9b65cebd2f7..c8dbc8f0daa 100644 --- a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -24,6 +24,9 @@ webhooks: path: /v1/admit {{- end }} failurePolicy: {{ .Values.validatingWebhookFailurePolicy }} + {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }} + matchConditions: {{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }} + {{- end }} matchPolicy: Exact name: validation.gatekeeper.sh namespaceSelector: diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index b3f9b1fa9a9..f452ec3165b 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -14,6 +14,7 @@ validatingWebhookFailurePolicy: Ignore validatingWebhookAnnotations: {} validatingWebhookExemptNamespacesLabels: {} validatingWebhookObjectSelector: {} +validatingWebhookMatchConditions: [] validatingWebhookCheckIgnoreFailurePolicy: Fail validatingWebhookCustomRules: {} validatingWebhookURL: null @@ -28,6 +29,7 @@ mutatingWebhookReinvocationPolicy: Never mutatingWebhookAnnotations: {} mutatingWebhookExemptNamespacesLabels: {} mutatingWebhookObjectSelector: {} +mutatingWebhookMatchConditions: [] mutatingWebhookTimeoutSeconds: 1 mutatingWebhookCustomRules: {} mutatingWebhookURL: null @@ -42,23 +44,25 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m +enableK8sNativeValidation: false +vapEnforcement: GATEKEEPER_DEFAULT image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.16.0-beta.1 + release: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 postUpgrade: labelNamespace: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -89,7 +93,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -130,7 +134,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] priorityClassName: "" diff --git a/cmd/build/helmify/static/Chart.yaml b/cmd/build/helmify/static/Chart.yaml index 67d82e13df1..f690a0fba1c 100644 --- a/cmd/build/helmify/static/Chart.yaml +++ b/cmd/build/helmify/static/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.16.0-beta.1 +version: 3.16.0-beta.2 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.16.0-beta.1 +appVersion: v3.16.0-beta.2 diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 1a010d7a60f..7430a33cf2a 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -74,7 +74,7 @@ information._ | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -97,7 +97,7 @@ information._ | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | @@ -107,10 +107,10 @@ information._ | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -173,7 +173,7 @@ information._ | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.16.0-beta.1` | +| image.release | The image release tag to use | Current release version: `v3.16.0-beta.2` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index b80b6189f46..f452ec3165b 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -49,20 +49,20 @@ vapEnforcement: GATEKEEPER_DEFAULT image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.16.0-beta.1 + release: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 postUpgrade: labelNamespace: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -93,7 +93,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -134,7 +134,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] priorityClassName: "" diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index c86b292ea02..4a3619bddce 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -56,7 +56,7 @@ spec: - "--operation=webhook" - "--operation=mutation-webhook" - "--disable-opa-builtin={http.send}" - image: openpolicyagent/gatekeeper:v3.16.0-beta.1 + image: openpolicyagent/gatekeeper:v3.16.0-beta.2 imagePullPolicy: Always name: manager ports: @@ -150,7 +150,7 @@ spec: - --disable-cert-rotation command: - /manager - image: openpolicyagent/gatekeeper:v3.16.0-beta.1 + image: openpolicyagent/gatekeeper:v3.16.0-beta.2 env: # used by Gatekeeper - name: POD_NAMESPACE diff --git a/deploy/gatekeeper.yaml b/deploy/gatekeeper.yaml index 618cd8e2fc6..dbc9aed534b 100644 --- a/deploy/gatekeeper.yaml +++ b/deploy/gatekeeper.yaml @@ -34,7 +34,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assign.mutations.gatekeeper.sh @@ -54,10 +54,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -69,9 +78,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -91,21 +105,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -116,21 +149,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -142,29 +189,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -176,21 +240,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -208,17 +290,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -241,7 +329,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -271,7 +370,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -280,7 +381,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -303,10 +407,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -314,9 +427,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -336,21 +454,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -361,21 +498,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -387,29 +538,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -421,21 +589,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -453,17 +639,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -486,7 +678,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -516,7 +719,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -525,7 +730,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -548,10 +756,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -559,9 +776,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -581,21 +803,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -606,21 +847,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -632,29 +887,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -666,21 +938,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -698,17 +988,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -731,7 +1027,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -761,7 +1068,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -770,7 +1079,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -792,7 +1104,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assignimage.mutations.gatekeeper.sh @@ -812,10 +1124,19 @@ spec: description: AssignImage is the Schema for the assignimage API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -827,9 +1148,14 @@ spec: description: AssignImageSpec defines the desired state of AssignImage. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -849,21 +1175,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -874,21 +1219,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -900,29 +1259,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -934,21 +1310,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -959,17 +1353,32 @@ spec: description: Parameters define the behavior of the mutator. properties: assignDomain: - description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + description: |- + AssignDomain sets the domain component on an image string. The trailing + slash should not be included. type: string assignPath: description: AssignPath sets the domain component on an image string. type: string assignTag: - description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + description: |- + AssignImage sets the image component on an image string. It must start + with a `:` or `@`. type: string pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -999,7 +1408,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -1008,7 +1419,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -1030,7 +1444,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assignmetadata.mutations.gatekeeper.sh @@ -1050,10 +1464,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -1070,18 +1493,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -1092,21 +1531,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1118,29 +1571,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1152,21 +1622,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -1183,17 +1671,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -1220,7 +1714,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -1233,7 +1729,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -1242,7 +1740,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -1265,10 +1766,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1281,18 +1791,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -1303,21 +1829,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1329,29 +1869,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1363,21 +1920,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -1394,17 +1969,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -1431,7 +2012,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -1444,7 +2027,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -1453,7 +2038,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -1476,10 +2064,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1492,18 +2089,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -1514,21 +2127,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1540,29 +2167,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1574,21 +2218,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -1605,17 +2267,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -1642,7 +2310,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -1655,7 +2325,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -1664,7 +2336,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -1686,7 +2361,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: configs.config.gatekeeper.sh @@ -1706,10 +2381,19 @@ spec: description: Config is the Schema for the configs API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1722,8 +2406,11 @@ spec: properties: excludedNamespaces: items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array processes: @@ -1792,7 +2479,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: constraintpodstatuses.status.gatekeeper.sh @@ -1812,10 +2499,19 @@ spec: description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1823,7 +2519,10 @@ spec: description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. properties: constraintUID: - description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the constraint UID allows us to detect drift, such as + when a constraint has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string enforced: type: boolean @@ -1860,7 +2559,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: constrainttemplatepodstatuses.status.gatekeeper.sh @@ -1880,10 +2579,19 @@ spec: description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1916,7 +2624,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: object @@ -2285,7 +2996,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: expansiontemplate.expansion.gatekeeper.sh @@ -2305,10 +3016,19 @@ spec: description: ExpansionTemplate is the Schema for the ExpansionTemplate API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -2320,9 +3040,13 @@ spec: description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + description: |- + ApplyTo lists the specific groups, versions and kinds of generator resources + which will be expanded. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -2339,10 +3063,15 @@ spec: type: object type: array enforcementAction: - description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + description: |- + EnforcementAction specifies the enforcement action to be used for resources + matching the ExpansionTemplate. Specifying an empty value will use the + enforcement action specified by the Constraint in violation. type: string generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + description: |- + GeneratedGVK specifies the GVK of the resources which the generator + resource creates. properties: group: type: string @@ -2352,7 +3081,10 @@ spec: type: string type: object templateSource: - description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + description: |- + TemplateSource specifies the source field on the generator resource to + use as the base for expanded resource. For Pod-creating generators, this + is usually spec.template type: string type: object status: @@ -2384,7 +3116,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: array @@ -2400,10 +3135,19 @@ spec: description: ExpansionTemplate is the Schema for the ExpansionTemplate API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2411,9 +3155,13 @@ spec: description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + description: |- + ApplyTo lists the specific groups, versions and kinds of generator resources + which will be expanded. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -2430,10 +3178,15 @@ spec: type: object type: array enforcementAction: - description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + description: |- + EnforcementAction specifies the enforcement action to be used for resources + matching the ExpansionTemplate. Specifying an empty value will use the + enforcement action specified by the Constraint in violation. type: string generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + description: |- + GeneratedGVK specifies the GVK of the resources which the generator + resource creates. properties: group: type: string @@ -2443,7 +3196,10 @@ spec: type: string type: object templateSource: - description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + description: |- + TemplateSource specifies the source field on the generator resource to + use as the base for expanded resource. For Pod-creating generators, this + is usually spec.template type: string type: object status: @@ -2475,7 +3231,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: array @@ -2490,7 +3249,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: expansiontemplatepodstatuses.status.gatekeeper.sh @@ -2510,10 +3269,19 @@ spec: description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2542,7 +3310,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: object @@ -2553,7 +3324,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: modifyset.mutations.gatekeeper.sh @@ -2570,13 +3341,24 @@ spec: - name: v1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -2588,9 +3370,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -2610,21 +3397,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -2635,21 +3441,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2661,29 +3481,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2695,21 +3532,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -2727,9 +3582,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -2763,7 +3631,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -2772,7 +3642,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -2792,13 +3665,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2806,9 +3690,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -2828,21 +3717,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -2853,21 +3761,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2879,29 +3801,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2913,21 +3852,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -2945,9 +3902,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -2981,7 +3951,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -2990,7 +3962,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -3010,13 +3985,24 @@ spec: - name: v1beta1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3024,9 +4010,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -3046,21 +4037,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -3071,21 +4081,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3097,29 +4121,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3131,21 +4172,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -3163,9 +4222,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -3199,7 +4271,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -3208,7 +4282,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -3230,7 +4307,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: mutatorpodstatuses.status.gatekeeper.sh @@ -3250,10 +4327,19 @@ spec: description: MutatorPodStatus is the Schema for the mutationpodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3269,7 +4355,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -3278,7 +4366,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -3375,7 +4466,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: syncsets.syncset.gatekeeper.sh @@ -3395,10 +4486,19 @@ spec: description: SyncSet defines which resources Gatekeeper will cache. The union of all SyncSets plus the syncOnly field of Gatekeeper's Config resource defines the sets of resources that will be synced. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -3435,7 +4535,6 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null labels: gatekeeper.sh/system: "yes" name: gatekeeper-manager-role @@ -3464,7 +4563,6 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: gatekeeper.sh/system: "yes" name: gatekeeper-manager-role @@ -3762,7 +4860,7 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) - image: openpolicyagent/gatekeeper:v3.16.0-beta.1 + image: openpolicyagent/gatekeeper:v3.16.0-beta.2 imagePullPolicy: Always livenessProbe: httpGet: @@ -3881,7 +4979,7 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) - image: openpolicyagent/gatekeeper:v3.16.0-beta.1 + image: openpolicyagent/gatekeeper:v3.16.0-beta.2 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/manifest_staging/charts/gatekeeper/Chart.yaml b/manifest_staging/charts/gatekeeper/Chart.yaml index 67d82e13df1..f690a0fba1c 100644 --- a/manifest_staging/charts/gatekeeper/Chart.yaml +++ b/manifest_staging/charts/gatekeeper/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.16.0-beta.1 +version: 3.16.0-beta.2 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.16.0-beta.1 +appVersion: v3.16.0-beta.2 diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 1a010d7a60f..7430a33cf2a 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -74,7 +74,7 @@ information._ | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -97,7 +97,7 @@ information._ | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | @@ -107,10 +107,10 @@ information._ | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.16.0-beta.1` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.16.0-beta.2` | | preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -173,7 +173,7 @@ information._ | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.16.0-beta.1` | +| image.release | The image release tag to use | Current release version: `v3.16.0-beta.2` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index b80b6189f46..f452ec3165b 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -49,20 +49,20 @@ vapEnforcement: GATEKEEPER_DEFAULT image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.16.0-beta.1 + release: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 postUpgrade: labelNamespace: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -93,7 +93,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -134,7 +134,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.16.0-beta.1 + tag: v3.16.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] priorityClassName: "" diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 2e6fb85caf9..dbc9aed534b 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -4860,7 +4860,7 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) - image: openpolicyagent/gatekeeper:v3.16.0-beta.1 + image: openpolicyagent/gatekeeper:v3.16.0-beta.2 imagePullPolicy: Always livenessProbe: httpGet: @@ -4979,7 +4979,7 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) - image: openpolicyagent/gatekeeper:v3.16.0-beta.1 + image: openpolicyagent/gatekeeper:v3.16.0-beta.2 imagePullPolicy: Always livenessProbe: httpGet: