Version: 1.17

You can find the definitions for the Kubewarden Custom Resources both on this page and here at docs.crds.dev.

API Reference

Packages

policies.kubewarden.io/v1
policies.kubewarden.io/v1alpha2

policies.kubewarden.io/v1

Package v1 contains API Schema definitions for the policies v1 API group

Resource Types

AdmissionPolicy
AdmissionPolicyList
ClusterAdmissionPolicy
ClusterAdmissionPolicyList
AdmissionPolicyGroup
AdmissionPolicyGroupList
ClusterAdmissionPolicyGroup
ClusterAdmissionPolicyGroupList
PolicyServer
PolicyServerList

AdmissionPolicy

AdmissionPolicy is the Schema for the admissionpolicies API

Appears in:

AdmissionPolicyList

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1`
`kind` string	`AdmissionPolicy`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` AdmissionPolicySpec

AdmissionPolicyList

AdmissionPolicyList contains a list of AdmissionPolicy.

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1`
`kind` string	`AdmissionPolicyList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` AdmissionPolicy array

AdmissionPolicySpec

AdmissionPolicySpec defines the desired state of AdmissionPolicy.

Appears in:

AdmissionPolicy

Field	Description
`policyServer` string	PolicyServer identifies an existing PolicyServer resource.
`module` string	Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://). If prefix is missing, it will default to registry:// and use that internally.
`mode` PolicyMode	Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead.
`settings` RawExtension	Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
`rules` RuleWithOperations array	Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.
`failurePolicy` FailurePolicyType	FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail"
`mutating` boolean	Mutating indicates whether a policy has the ability to mutate incoming requests or not.
`backgroundAudit` boolean	BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true".
`matchPolicy` MatchPolicyType	matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
`matchConditions` MatchCondition array	MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped. Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
`objectSelector` LabelSelector	ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
`sideEffects` SideEffectClass	SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
`timeoutSeconds` integer	TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.

ClusterAdmissionPolicy

ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API

Appears in:

ClusterAdmissionPolicyList

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1`
`kind` string	`ClusterAdmissionPolicy`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` ClusterAdmissionPolicySpec

ClusterAdmissionPolicyList

ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1`
`kind` string	`ClusterAdmissionPolicyList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` ClusterAdmissionPolicy array

ClusterAdmissionPolicySpec

ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.

Appears in:

ClusterAdmissionPolicy

Field	Description
`policyServer` string	PolicyServer identifies an existing PolicyServer resource.
`module` string	Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://). If prefix is missing, it will default to registry:// and use that internally.
`mode` PolicyMode	Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead.
`settings` RawExtension	Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
`rules` RuleWithOperations array	Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.
`failurePolicy` FailurePolicyType	FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail"
`mutating` boolean	Mutating indicates whether a policy has the ability to mutate incoming requests or not.
`backgroundAudit` boolean	BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true".
`matchPolicy` MatchPolicyType	matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
`matchConditions` MatchCondition array	MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped. Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
`objectSelector` LabelSelector	ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
`sideEffects` SideEffectClass	SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
`timeoutSeconds` integer	TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
`namespaceSelector` LabelSelector	NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. Default to the empty LabelSelector, which matches everything.
`contextAwareResources` ContextAwareResource array	List of Kubernetes resources the policy is allowed to access at evaluation time. Access to these resources is done using the `ServiceAccount` of the PolicyServer the policy is assigned to.

AdmissionPolicyGroup

AdmissionPolicyGroup is the Schema for the admissionpolicygroups API

Appears in:

AdmissionPolicyGroupList

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1`
`kind` string	`AdmissionPolicyGroup`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` AdmissionPolicyGroupSpec

AdmissionPolicyGroupList

AdmissionPolicyGroupList contains a list of AdmissionPolicyGroup.

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1`
`kind` string	`AdmissionPolicyGroupList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` AdmissionPolicyGroup array

AdmissionPolicyGroupSpec

AdmissionPolicyGroupSpec defines the desired state of AdmissionPolicyGroup.

Appears in:

AdmissionPolicyGroup

Field	Description
`backgroundAudit` boolean	BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If `false`, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is `true`.
`expression` string	Expression is the evaluation expression to accept or reject the admission request under evaluation. This field uses CEL as the expression language for the policy groups. Each policy in the group will be represented as a function call in the expression with the same name as the policy defined in the group. The expression field should be a valid CEL expression that evaluates to a boolean value. If the expression evaluates to true, the group policy will be considered as accepted, otherwise, it will be considered as rejected. This expression allows grouping policies calls and perform logical operations on the results of the policies. See Kubewarden documentation to learn about all the features available.
`failurePolicy` FailurePolicyType	FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are `Ignore` or `Fail`. `Ignore` means that an error calling the webhook is ignored and the API request is allowed to continue. `Fail` means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is `Fail`
`matchConditions` MatchCondition array	MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): If ANY matchCondition evaluates to FALSE, the policy is skipped. If ALL matchConditions evaluate to TRUE, the policy is evaluated. If any matchCondition evaluates to an error (but none are FALSE): If failurePolicy=Fail, reject the request If failurePolicy=Ignore, the policy is skipped. Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
`matchPolicy` MatchPolicyType	matchPolicy defines how the `rules` list is used to match incoming requests. Allowed values are `Exact` or `Equivalent`. `Exact`: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but `rules` only included `apiGroups:[apps], apiVersions:[v1], resources: [deployments]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. `Equivalent`: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and `rules` only included `apiGroups:[apps], apiVersions:[v1], resources: [deployments]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to `Equivalent`
`message` string	Message is used to specify the message that will be returned when the policy group is rejected. The specific policy results will be returned in the warning field of the response.
`mode` PolicyMode	Mode defines the execution mode of this policy. Can be set to either `protect` or `monitor`. If it's empty, it is defaulted to `protect`. Transitioning this setting from `monitor` to `protect` is allowed, but is disallowed to transition from `protect` to `monitor`. To perform this transition, the policy should be recreated in `monitor` mode instead.
`objectSelector` LabelSelector	ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
`policies` PolicyGroupMember array	Policies is a list of policies that are part of the group that will be available to be called in the evaluation expression field. Each policy in the group should be a Kubewarden policy.
`policyServer` string	PolicyServer identifies an existing PolicyServer resource.
`rules` RuleWithOperations array	Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.
`sideEffects` SideEffectClass	SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
`timeoutSeconds` integer	TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds

ClusterAdmissionPolicyGroup

ClusterAdmissionPolicyGroup is the Schema for the admissionpolicygroups API

Appears in:

ClusterAdmissionPolicyGroupList

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1`
`kind` string	`ClusterAdmissionPolicyGroup`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` ClusterAdmissionPolicyGroupSpec

ClusterAdmissionPolicyGroupList

ClusterAdmissionPolicyGroupList contains a list of ClusterAdmissionPolicyGroup.

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1`
`kind` string	`ClusterAdmissionPolicyGroupList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` ClusterAdmissionPolicyGroup array

ClusterAdmissionPolicyGroupSpec

ClusterAdmissionPolicyGroupSpec defines the desired state of ClusterAdmissionPolicyGroup.

Appears in:

ClusterAdmissionPolicyGroup

Field	Description
`backgroundAudit` boolean	BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If `false`, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is `true`.
`expression` string	Expression is the evaluation expression to accept or reject the admission request under evaluation. This field uses CEL as the expression language for the policy groups. Each policy in the group will be represented as a function call in the expression with the same name as the policy defined in the group. The expression field should be a valid CEL expression that evaluates to a boolean value. If the expression evaluates to true, the group policy will be considered as accepted, otherwise, it will be considered as rejected. This expression allows grouping policies calls and perform logical operations on the results of the policies. See Kubewarden documentation to learn about all the features available.
`failurePolicy` FailurePolicyType	FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are `Ignore` or `Fail`. `Ignore` means that an error calling the webhook is ignored and the API request is allowed to continue. `Fail` means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is `Fail`
`matchConditions` MatchCondition array	MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): If ANY matchCondition evaluates to FALSE, the policy is skipped. If ALL matchConditions evaluate to TRUE, the policy is evaluated. If any matchCondition evaluates to an error (but none are FALSE): If failurePolicy=Fail, reject the request If failurePolicy=Ignore, the policy is skipped. Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
`matchPolicy` MatchPolicyType	matchPolicy defines how the `rules` list is used to match incoming requests. Allowed values are `Exact` or `Equivalent`. `Exact`: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but `rules` only included `apiGroups:[apps], apiVersions:[v1], resources: [deployments]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. `Equivalent`: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and `rules` only included `apiGroups:[apps], apiVersions:[v1], resources: [deployments]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to `Equivalent`
`message` string	Message is used to specify the message that will be returned when the policy group is rejected. The specific policy results will be returned in the warning field of the response.
`mode` PolicyMode	Mode defines the execution mode of this policy. Can be set to either `protect` or `monitor`. If it's empty, it is defaulted to `protect`. Transitioning this setting from `monitor` to `protect` is allowed, but is disallowed to transition from `protect` to `monitor`. To perform this transition, the policy should be recreated in `monitor` mode instead.
`namespaceSelector` LabelSelector	NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. Default to the empty LabelSelector, which matches everything
`objectSelector` LabelSelector	ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
`policies` PolicyGroupMember array	Policies is a list of policies that are part of the group that will be available to be called in the evaluation expression field. Each policy in the group should be a Kubewarden policy.
`policyServer` string	PolicyServer identifies an existing PolicyServer resource.
`rules` RuleWithOperations array	Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.
`sideEffects` SideEffectClass	SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
`timeoutSeconds` integer	TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds

PolicyGroupMember

Kubewarden Policy that is part of the policy group that will be available to be called in the evaluation expression field.

Appears in:

ClusterAdmissionPolicyGroupSpec
AdmissionPolicyGroupSpec

Field	Description
`module`	Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://). If prefix is missing, it will default to registry:// and use that internally.
`settings` RawExtension	Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
`contextAwareResources` ContextAwareResource array	List of Kubernetes resources the policy is allowed to access at evaluation time. Access to these resources is done using the `ServiceAccount` of the PolicyServer the policy is assigned to.

ContextAwareResource

ContextAwareResource identifies a Kubernetes resource.

Appears in:

ClusterAdmissionPolicySpec

Field	Description
`apiVersion` string	apiVersion of the resource (v1 for core group, groupName/groupVersions for other).
`kind` string	Singular PascalCase name of the resource

PolicyMode

Underlying type: string

Appears in:

AdmissionPolicySpec
ClusterAdmissionPolicySpec
PolicySpec

PolicyModeStatus

Underlying type: string

Appears in:

PolicyStatus

PolicyServer

PolicyServer is the Schema for the policyservers API.

Appears in:

PolicyServerList

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1`
`kind` string	`PolicyServer`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` PolicyServerSpec

PolicyServerList

PolicyServerList contains a list of PolicyServer.

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1`
`kind` string	`PolicyServerList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` PolicyServer array

PolicyServerSecurity

PolicyServerSecurity defines securityContext configuration to be used in the Policy Server workload.

Appears in:

PolicyServerSpec

Field	Description
`container` SecurityContext	securityContext definition to be used in the policy server container
`pod` PodSecurityContext	podSecurityContext definition to be used in the policy server Pod

PolicyServerSpec

PolicyServerSpec defines the desired state of PolicyServer.

Appears in:

PolicyServer

Field	Description
`image` string	Docker image name.
`replicas` integer	Replicas is the number of desired replicas.
`minAvailable` IntOrString	Number of policy server replicas that must be still available after the eviction. The value can be an absolute number or a percentage. Only one of MinAvailable or Max MaxUnavailable can be set.
`maxUnavailable` IntOrString	Number of policy server replicas that can be unavailable after the eviction. The value can be an absolute number or a percentage. Only one of MinAvailable or Max MaxUnavailable can be set.
`annotations` object (keys:string, values:string)	Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
`env` EnvVar array	List of environment variables to set in the container.
`serviceAccountName` string	Name of the service account associated with the policy server. Namespace service account will be used if not specified.
`imagePullSecret` string	Name of ImagePullSecret secret in the same namespace, used for pulling policies from repositories.
`insecureSources` string array	List of insecure URIs to policy repositories. The `insecureSources` content format corresponds with the contents of the `insecure_sources` key in `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden documentation in the reference section.
`sourceAuthorities` object (keys:string, values:string array)	Key value map of registry URIs endpoints to a list of their associated PEM encoded certificate authorities that have to be used to verify the certificate used by the endpoint. The `sourceAuthorities` content format corresponds with the contents of the `source_authorities` key in `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden documentation in the reference section.
`verificationConfig` string	Name of VerificationConfig configmap in the same namespace, containing Sigstore verification configuration. The configuration must be under a key named verification-config in the Configmap.
`securityContexts` PolicyServerSecurity	Security configuration to be used in the Policy Server workload. The field allows different configurations for the pod and containers. If set for the containers, this configuration will not be used in containers added by other controllers (e.g. telemetry sidecars)
`affinity` Affinity	Affinity rules for the associated Policy Server pods.
`limits` object (keys:ResourceName, values:Quantity)	Limits describes the maximum amount of compute resources allowed.
`requests` object (keys:ResourceName, values:Quantity)	Requests describes the minimum amount of compute resources required. If Request is omitted for, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value
`tolerations` Toleration array	Tolerations describe the policy server pod's tolerations. It can be used to ensure that the policy server pod is not scheduled onto a node with a taint.

PolicySpec

Appears in:

AdmissionPolicySpec
ClusterAdmissionPolicySpec

Field	Description
`policyServer` string	PolicyServer identifies an existing PolicyServer resource.
`module` string	Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://). If prefix is missing, it will default to registry:// and use that internally.
`mode` PolicyMode	Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead.
`settings` RawExtension	Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
`rules` RuleWithOperations array	Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.
`failurePolicy` FailurePolicyType	FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail"
`mutating` boolean	Mutating indicates whether a policy has the ability to mutate incoming requests or not.
`backgroundAudit` boolean	BackgroundAudit indicates whether a policy should be used or skipped when performing audit checks. If false, the policy cannot produce meaningful evaluation results during audit checks and will be skipped. The default is "true".
`matchPolicy` MatchPolicyType	matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
`matchConditions` MatchCondition array	MatchConditions are a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped. Only available if the feature gate AdmissionWebhookMatchConditions is enabled.
`objectSelector` LabelSelector	ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
`sideEffects` SideEffectClass	SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
`timeoutSeconds` integer	TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.

PolicyStatusEnum

Underlying type: string

Appears in:

PolicyStatus

policies.kubewarden.io/v1alpha2

Package v1alpha2 contains API Schema definitions for the policies v1alpha2 API group

AdmissionPolicy

AdmissionPolicy is the Schema for the admissionpolicies API

Appears in:

AdmissionPolicyList

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1alpha2`
`kind` string	`AdmissionPolicy`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` AdmissionPolicySpec

AdmissionPolicyList

AdmissionPolicyList contains a list of AdmissionPolicy.

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1alpha2`
`kind` string	`AdmissionPolicyList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` AdmissionPolicy array

AdmissionPolicySpec

AdmissionPolicySpec defines the desired state of AdmissionPolicy.

Appears in:

AdmissionPolicy

Field	Description
`policyServer` string	PolicyServer identifies an existing PolicyServer resource.
`module` string	Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://).
`mode` PolicyMode	Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead.
`settings` RawExtension	Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
`rules` RuleWithOperations array	Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.
`failurePolicy` FailurePolicyType	FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail"
`mutating` boolean	Mutating indicates whether a policy has the ability to mutate incoming requests or not.
`matchPolicy` MatchPolicyType	matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
`objectSelector` LabelSelector	ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
`sideEffects` SideEffectClass	SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
`timeoutSeconds` integer	TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.

ClusterAdmissionPolicy

ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API

Appears in:

ClusterAdmissionPolicyList

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1alpha2`
`kind` string	`ClusterAdmissionPolicy`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` ClusterAdmissionPolicySpec

ClusterAdmissionPolicyList

ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1alpha2`
`kind` string	`ClusterAdmissionPolicyList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` ClusterAdmissionPolicy array

ClusterAdmissionPolicySpec

ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy.

Appears in:

ClusterAdmissionPolicy

Field	Description
`policyServer` string	PolicyServer identifies an existing PolicyServer resource.
`module` string	Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://).
`mode` PolicyMode	Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead.
`settings` RawExtension	Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
`rules` RuleWithOperations array	Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.
`failurePolicy` FailurePolicyType	FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail"
`mutating` boolean	Mutating indicates whether a policy has the ability to mutate incoming requests or not.
`matchPolicy` MatchPolicyType	matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
`objectSelector` LabelSelector	ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
`sideEffects` SideEffectClass	SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
`timeoutSeconds` integer	TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
`namespaceSelector` LabelSelector	NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. Default to the empty LabelSelector, which matches everything.

PolicyMode

Underlying type: string

Appears in:

AdmissionPolicySpec
ClusterAdmissionPolicySpec
PolicySpec

PolicyModeStatus

Underlying type: string

Appears in:

PolicyStatus

PolicyServer

PolicyServer is the Schema for the policyservers API.

Appears in:

PolicyServerList

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1alpha2`
`kind` string	`PolicyServer`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` PolicyServerSpec

PolicyServerList

PolicyServerList contains a list of PolicyServer.

Field	Description
`apiVersion` string	`policies.kubewarden.io/v1alpha2`
`kind` string	`PolicyServerList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` PolicyServer array

PolicyServerSpec

PolicyServerSpec defines the desired state of PolicyServer.

Appears in:

PolicyServer

Field	Description
`image` string	Docker image name.
`replicas` integer	Replicas is the number of desired replicas.
`annotations` object (keys:string, values:string)	Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
`env` EnvVar array	List of environment variables to set in the container.
`serviceAccountName` string	Name of the service account associated with the policy server. Namespace service account will be used if not specified.
`imagePullSecret` string	Name of ImagePullSecret secret in the same namespace, used for pulling policies from repositories.
`insecureSources` string array	List of insecure URIs to policy repositories. The `insecureSources` content format corresponds with the contents of the `insecure_sources` key in `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden documentation in the reference section.
`sourceAuthorities` object (keys:string, values:string array)	Key value map of registry URIs endpoints to a list of their associated PEM encoded certificate authorities that have to be used to verify the certificate used by the endpoint. The `sourceAuthorities` content format corresponds with the contents of the `source_authorities` key in `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden documentation in the reference section.
`verificationConfig` string	Name of VerificationConfig configmap in the same namespace, containing Sigstore verification configuration. The configuration must be under a key named verification-config in the Configmap.

PolicySpec

Appears in:

AdmissionPolicySpec
ClusterAdmissionPolicySpec

Field	Description
`policyServer` string	PolicyServer identifies an existing PolicyServer resource.
`module` string	Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://).
`mode` PolicyMode	Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead.
`settings` RawExtension	Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
`rules` RuleWithOperations array	Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.
`failurePolicy` FailurePolicyType	FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail"
`mutating` boolean	Mutating indicates whether a policy has the ability to mutate incoming requests or not.
`matchPolicy` MatchPolicyType	matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. Defaults to "Equivalent"
`objectSelector` LabelSelector	ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
`sideEffects` SideEffectClass	SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
`timeoutSeconds` integer	TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.

PolicyStatusEnum

Underlying type: string

Appears in:

PolicyStatus

Packages​

policies.kubewarden.io/v1​

Resource Types​

AdmissionPolicy​

AdmissionPolicyList​

AdmissionPolicySpec​

ClusterAdmissionPolicy​

ClusterAdmissionPolicyList​

ClusterAdmissionPolicySpec​

AdmissionPolicyGroup​

AdmissionPolicyGroupList​

AdmissionPolicyGroupSpec​

ClusterAdmissionPolicyGroup​

ClusterAdmissionPolicyGroupList​

ClusterAdmissionPolicyGroupSpec​

PolicyGroupMember​

ContextAwareResource​

PolicyMode​

PolicyModeStatus​

PolicyServer​

PolicyServerList​

PolicyServerSecurity​

PolicyServerSpec​

PolicySpec​

PolicyStatusEnum​

policies.kubewarden.io/v1alpha2​

Resource Types​

AdmissionPolicy​

AdmissionPolicyList​

AdmissionPolicySpec​

ClusterAdmissionPolicy​

ClusterAdmissionPolicyList​

ClusterAdmissionPolicySpec​

PolicyMode​

PolicyModeStatus​

PolicyServer​

PolicyServerList​

PolicyServerSpec​

PolicySpec​

PolicyStatusEnum​

Packages

policies.kubewarden.io/v1

Resource Types

AdmissionPolicy

AdmissionPolicyList

AdmissionPolicySpec

ClusterAdmissionPolicy

ClusterAdmissionPolicyList

ClusterAdmissionPolicySpec

AdmissionPolicyGroup

AdmissionPolicyGroupList

AdmissionPolicyGroupSpec

ClusterAdmissionPolicyGroup

ClusterAdmissionPolicyGroupList

ClusterAdmissionPolicyGroupSpec

PolicyGroupMember

ContextAwareResource

PolicyMode

PolicyModeStatus

PolicyServer

PolicyServerList

PolicyServerSecurity

PolicyServerSpec

PolicySpec

PolicyStatusEnum

policies.kubewarden.io/v1alpha2

Resource Types

AdmissionPolicy

AdmissionPolicyList

AdmissionPolicySpec

ClusterAdmissionPolicy

ClusterAdmissionPolicyList

ClusterAdmissionPolicySpec

PolicyMode

PolicyModeStatus

PolicyServer

PolicyServerList

PolicyServerSpec

PolicySpec

PolicyStatusEnum