You can find the definitions for the Kubewarden Custom Resources both on this page and here at docs.crds.dev.
API Reference
Packages​
policies.kubewarden.io/v1​
Package v1 contains API Schema definitions for the policies v1 API group
Resource Types​
- AdmissionPolicy
- AdmissionPolicyList
- ClusterAdmissionPolicy
- ClusterAdmissionPolicyList
- PolicyServer
- PolicyServerList
AdmissionPolicy​
AdmissionPolicy is the Schema for the admissionpolicies API
Appears in:
Field | Description |
---|---|
apiVersion string | policies.kubewarden.io/v1 |
kind string | AdmissionPolicy |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . |
spec AdmissionPolicySpec |
AdmissionPolicyList​
AdmissionPolicyList contains a list of AdmissionPolicy
Field | Description |
---|---|
apiVersion string | policies.kubewarden.io/v1 |
kind string | AdmissionPolicyList |
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . |
items AdmissionPolicy array |
AdmissionPolicySpec​
AdmissionPolicySpec defines the desired state of AdmissionPolicy
Appears in:
Field | Description |
---|---|
policyServer string | PolicyServer identifies an existing PolicyServer resource. |
module string | Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://). If prefix is missing, it will default to registry:// and use that internally. |
mode PolicyMode | Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead. |
settings RawExtension | Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false |
rules RuleWithOperations array | Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule. |
failurePolicy FailurePolicyType | FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". _ "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. _ "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail" |
mutating boolean | Mutating indicates whether a policy has the ability to mutate incoming requests or not. |
backgroundAudit boolean | BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true". |
matchPolicy MatchPolicyType | matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
|
objectSelector LabelSelector | ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. |
sideEffects SideEffectClass | SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. |
timeoutSeconds integer | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds. |
ClusterAdmissionPolicy​
ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API
Appears in:
Field | Description |
---|---|
apiVersion string | policies.kubewarden.io/v1 |
kind string | ClusterAdmissionPolicy |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata . |
spec ClusterAdmissionPolicySpec |
ClusterAdmissionPolicyList​
ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy
Field | Description |
---|---|
apiVersion string | policies.kubewarden.io/v1 |
kind string | ClusterAdmissionPolicyList |
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata . |
items ClusterAdmissionPolicy array |
ClusterAdmissionPolicySpec​
ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy
Appears in:
Field | Description |
---|---|
policyServer string | PolicyServer identifies an existing PolicyServer resource. |
module string | Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://). If prefix is missing, it will default to registry:// and use that internally. |
mode PolicyMode | Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead. |
settings RawExtension | Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false |
rules RuleWithOperations array | Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule. |
failurePolicy FailurePolicyType | FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". _ "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. _ "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail" |
mutating boolean | Mutating indicates whether a policy has the ability to mutate incoming requests or not. |
backgroundAudit boolean | BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true". |
matchPolicy MatchPolicyType | matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
|
objectSelector LabelSelector | ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. |
sideEffects SideEffectClass | SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. |
timeoutSeconds integer | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds. |
namespaceSelector LabelSelector | NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. Default to the empty LabelSelector, which matches everything. |
contextAwareResources ContextAwareResource array | List of Kubernetes resources the policy is allowed to access at evaluation time. Access to these resources is done using the ServiceAccount of the PolicyServer the policy is assigned to. |
ContextAwareResource​
ContextAwareResource identifies a Kubernetes resource
Appears in:
Field | Description |
---|---|
apiVersion string | apiVersion of the resource (v1 for core group, groupName/groupVersions for other). |
kind string | Singular PascalCase name of the resource |