@pulumi/kubernetes
Version:
[](https://github.com/pulumi/pulumi-kubernetes/actions) [](https://slack.pulumi.com) [ • 2.65 MB
TypeScript
import * as outputs from "../types/output";
import * as enums from "../types/enums";
export declare namespace admissionregistration {
namespace v1 {
/**
* AuditAnnotation describes how to produce an audit annotation for an API request.
*/
interface AuditAnnotation {
/**
* key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
*
* The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}".
*
* If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.
*
* Required.
*/
key: string;
/**
* valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.
*
* If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.
*
* Required.
*/
valueExpression: string;
}
/**
* AuditAnnotation describes how to produce an audit annotation for an API request.
*/
interface AuditAnnotationPatch {
/**
* key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
*
* The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}".
*
* If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.
*
* Required.
*/
key: string;
/**
* valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.
*
* If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.
*
* Required.
*/
valueExpression: string;
}
/**
* ExpressionWarning is a warning information that targets a specific expression.
*/
interface ExpressionWarning {
/**
* The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is "spec.validations[0].expression"
*/
fieldRef: string;
/**
* The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.
*/
warning: string;
}
/**
* ExpressionWarning is a warning information that targets a specific expression.
*/
interface ExpressionWarningPatch {
/**
* The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is "spec.validations[0].expression"
*/
fieldRef: string;
/**
* The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.
*/
warning: string;
}
/**
* MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
*/
interface MatchCondition {
/**
* Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
*
* 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
* See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
* 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
* request resource.
* Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
*
* Required.
*/
expression: string;
/**
* Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
*
* Required.
*/
name: string;
}
/**
* MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
*/
interface MatchConditionPatch {
/**
* Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
*
* 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
* See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
* 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
* request resource.
* Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
*
* Required.
*/
expression: string;
/**
* Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
*
* Required.
*/
name: string;
}
/**
* MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
*/
interface MatchResources {
/**
* ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
*/
excludeResourceRules: outputs.admissionregistration.v1.NamedRuleWithOperations[];
/**
* matchPolicy defines how the "MatchResources" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
*
* - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
*
* - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
*
* Defaults to "Equivalent"
*/
matchPolicy: string;
/**
* NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.
*
* For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
* "matchExpressions": [
* {
* "key": "runlevel",
* "operator": "NotIn",
* "values": [
* "0",
* "1"
* ]
* }
* ]
* }
*
* If instead you want to only run the policy on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
* "matchExpressions": [
* {
* "key": "environment",
* "operator": "In",
* "values": [
* "prod",
* "staging"
* ]
* }
* ]
* }
*
* See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
*
* Default to the empty LabelSelector, which matches everything.
*/
namespaceSelector: outputs.meta.v1.LabelSelector;
/**
* ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
*/
objectSelector: outputs.meta.v1.LabelSelector;
/**
* ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.
*/
resourceRules: outputs.admissionregistration.v1.NamedRuleWithOperations[];
}
/**
* MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
*/
interface MatchResourcesPatch {
/**
* ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
*/
excludeResourceRules: outputs.admissionregistration.v1.NamedRuleWithOperationsPatch[];
/**
* matchPolicy defines how the "MatchResources" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
*
* - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
*
* - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
*
* Defaults to "Equivalent"
*/
matchPolicy: string;
/**
* NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.
*
* For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
* "matchExpressions": [
* {
* "key": "runlevel",
* "operator": "NotIn",
* "values": [
* "0",
* "1"
* ]
* }
* ]
* }
*
* If instead you want to only run the policy on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
* "matchExpressions": [
* {
* "key": "environment",
* "operator": "In",
* "values": [
* "prod",
* "staging"
* ]
* }
* ]
* }
*
* See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
*
* Default to the empty LabelSelector, which matches everything.
*/
namespaceSelector: outputs.meta.v1.LabelSelectorPatch;
/**
* ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
*/
objectSelector: outputs.meta.v1.LabelSelectorPatch;
/**
* ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.
*/
resourceRules: outputs.admissionregistration.v1.NamedRuleWithOperationsPatch[];
}
/**
* MutatingWebhook describes an admission webhook and the resources and operations it applies to.
*/
interface MutatingWebhook {
/**
* AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
*/
admissionReviewVersions: string[];
/**
* ClientConfig defines how to communicate with the hook. Required
*/
clientConfig: outputs.admissionregistration.v1.WebhookClientConfig;
/**
* FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
*/
failurePolicy: string;
/**
* MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
*
* The exact matching logic is (in order):
* 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
* 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
* 3. If any matchCondition evaluates to an error (but none are FALSE):
* - If failurePolicy=Fail, reject the request
* - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
*/
matchConditions: outputs.admissionregistration.v1.MatchCondition[];
/**
* matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
*
* - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
*
* - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
*
* Defaults to "Equivalent"
*/
matchPolicy: string;
/**
* The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.
*/
name: string;
/**
* NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
*
* For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
* "matchExpressions": [
* {
* "key": "runlevel",
* "operator": "NotIn",
* "values": [
* "0",
* "1"
* ]
* }
* ]
* }
*
* If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
* "matchExpressions": [
* {
* "key": "environment",
* "operator": "In",
* "values": [
* "prod",
* "staging"
* ]
* }
* ]
* }
*
* See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
*
* Default to the empty LabelSelector, which matches everything.
*/
namespaceSelector: outputs.meta.v1.LabelSelector;
/**
* ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
*/
objectSelector: outputs.meta.v1.LabelSelector;
/**
* reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".
*
* Never: the webhook will not be called more than once in a single admission evaluation.
*
* IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
*
* Defaults to "Never".
*/
reinvocationPolicy: string;
/**
* Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
*/
rules: outputs.admissionregistration.v1.RuleWithOperations[];
/**
* SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
*/
sideEffects: string;
/**
* TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
*/
timeoutSeconds: number;
}
/**
* MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
*/
interface MutatingWebhookConfiguration {
/**
* APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
*/
apiVersion: "admissionregistration.k8s.io/v1";
/**
* Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
*/
kind: "MutatingWebhookConfiguration";
/**
* Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
*/
metadata: outputs.meta.v1.ObjectMeta;
/**
* Webhooks is a list of webhooks and the affected resources and operations.
*/
webhooks: outputs.admissionregistration.v1.MutatingWebhook[];
}
/**
* MutatingWebhook describes an admission webhook and the resources and operations it applies to.
*/
interface MutatingWebhookPatch {
/**
* AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
*/
admissionReviewVersions: string[];
/**
* ClientConfig defines how to communicate with the hook. Required
*/
clientConfig: outputs.admissionregistration.v1.WebhookClientConfigPatch;
/**
* FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
*/
failurePolicy: string;
/**
* MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
*
* The exact matching logic is (in order):
* 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
* 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
* 3. If any matchCondition evaluates to an error (but none are FALSE):
* - If failurePolicy=Fail, reject the request
* - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
*/
matchConditions: outputs.admissionregistration.v1.MatchConditionPatch[];
/**
* matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
*
* - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
*
* - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
*
* Defaults to "Equivalent"
*/
matchPolicy: string;
/**
* The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.
*/
name: string;
/**
* NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
*
* For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": {
* "matchExpressions": [
* {
* "key": "runlevel",
* "operator": "NotIn",
* "values": [
* "0",
* "1"
* ]
* }
* ]
* }
*
* If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
* "matchExpressions": [
* {
* "key": "environment",
* "operator": "In",
* "values": [
* "prod",
* "staging"
* ]
* }
* ]
* }
*
* See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
*
* Default to the empty LabelSelector, which matches everything.
*/
namespaceSelector: outputs.meta.v1.LabelSelectorPatch;
/**
* ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
*/
objectSelector: outputs.meta.v1.LabelSelectorPatch;
/**
* reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".
*
* Never: the webhook will not be called more than once in a single admission evaluation.
*
* IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
*
* Defaults to "Never".
*/
reinvocationPolicy: string;
/**
* Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
*/
rules: outputs.admissionregistration.v1.RuleWithOperationsPatch[];
/**
* SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
*/
sideEffects: string;
/**
* TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
*/
timeoutSeconds: number;
}
/**
* NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
*/
interface NamedRuleWithOperations {
/**
* APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
*/
apiGroups: string[];
/**
* APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.
*/
apiVersions: string[];
/**
* Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
*/
operations: string[];
/**
* ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
*/
resourceNames: string[];
/**
* Resources is a list of resources this rule applies to.
*
* For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.
*
* If wildcard is present, the validation rule will ensure resources do not overlap with each other.
*
* Depending on the enclosing object, subresources might not be allowed. Required.
*/
resources: string[];
/**
* scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
*/
scope: string;
}
/**
* NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
*/
interface NamedRuleWithOperationsPatch {
/**
* APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
*/
apiGroups: string[];
/**
* APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.
*/
apiVersions: string[];
/**
* Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
*/
operations: string[];
/**
* ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
*/
resourceNames: string[];
/**
* Resources is a list of resources this rule applies to.
*
* For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.
*
* If wildcard is present, the validation rule will ensure resources do not overlap with each other.
*
* Depending on the enclosing object, subresources might not be allowed. Required.
*/
resources: string[];
/**
* scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
*/
scope: string;
}
/**
* ParamKind is a tuple of Group Kind and Version.
*/
interface ParamKind {
/**
* APIVersion is the API group version the resources belong to. In format of "group/version". Required.
*/
apiVersion: string;
/**
* Kind is the API kind the resources belong to. Required.
*/
kind: string;
}
/**
* ParamKind is a tuple of Group Kind and Version.
*/
interface ParamKindPatch {
/**
* APIVersion is the API group version the resources belong to. In format of "group/version". Required.
*/
apiVersion: string;
/**
* Kind is the API kind the resources belong to. Required.
*/
kind: string;
}
/**
* ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.
*/
interface ParamRef {
/**
* name is the name of the resource being referenced.
*
* One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.
*
* A single parameter used for all admission requests can be configured by setting the `name` field, leaving `selector` blank, and setting namespace if `paramKind` is namespace-scoped.
*/
name: string;
/**
* namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.
*
* A per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.
*
* - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.
*
* - If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.
*/
namespace: string;
/**
* `parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.
*
* Allowed values are `Allow` or `Deny`
*
* Required
*/
parameterNotFoundAction: string;
/**
* selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.
*
* If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.
*
* One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.
*/
selector: outputs.meta.v1.LabelSelector;
}
/**
* ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.
*/
interface ParamRefPatch {
/**
* name is the name of the resource being referenced.
*
* One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.
*
* A single parameter used for all admission requests can be configured by setting the `name` field, leaving `selector` blank, and setting namespace if `paramKind` is namespace-scoped.
*/
name: string;
/**
* namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.
*
* A per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.
*
* - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.
*
* - If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.
*/
namespace: string;
/**
* `parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.
*
* Allowed values are `Allow` or `Deny`
*
* Required
*/
parameterNotFoundAction: string;
/**
* selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.
*
* If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.
*
* One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.
*/
selector: outputs.meta.v1.LabelSelectorPatch;
}
/**
* RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.
*/
interface RuleWithOperations {
/**
* APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
*/
apiGroups: string[];
/**
* APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.
*/
apiVersions: string[];
/**
* Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
*/
operations: string[];
/**
* Resources is a list of resources this rule applies to.
*
* For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.
*
* If wildcard is present, the validation rule will ensure resources do not overlap with each other.
*
* Depending on the enclosing object, subresources might not be allowed. Required.
*/
resources: string[];
/**
* scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
*/