mirror of https://git.rancher.io/charts
447 lines
26 KiB
YAML
447 lines
26 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.5.0
|
|
labels:
|
|
gatekeeper.sh/system: "yes"
|
|
name: modifyset.mutations.gatekeeper.sh
|
|
spec:
|
|
group: mutations.gatekeeper.sh
|
|
names:
|
|
kind: ModifySet
|
|
listKind: ModifySetList
|
|
plural: modifyset
|
|
singular: modifyset
|
|
preserveUnknownFields: false
|
|
scope: Cluster
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
properties:
|
|
name:
|
|
maxLength: 63
|
|
type: string
|
|
type: object
|
|
spec:
|
|
description: ModifySetSpec defines the desired state of ModifySet.
|
|
properties:
|
|
applyTo:
|
|
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
|
|
items:
|
|
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
|
|
properties:
|
|
groups:
|
|
items:
|
|
type: string
|
|
type: array
|
|
kinds:
|
|
items:
|
|
type: string
|
|
type: array
|
|
versions:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
location:
|
|
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
|
|
type: string
|
|
match:
|
|
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
|
|
properties:
|
|
excludedNamespaces:
|
|
items:
|
|
description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.'
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
|
|
type: string
|
|
type: array
|
|
kinds:
|
|
items:
|
|
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
|
|
properties:
|
|
apiGroups:
|
|
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
|
|
items:
|
|
type: string
|
|
type: array
|
|
kinds:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
labelSelector:
|
|
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
name:
|
|
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.'
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
|
|
type: string
|
|
namespaceSelector:
|
|
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
items:
|
|
description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.'
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
|
|
type: string
|
|
type: array
|
|
scope:
|
|
description: ResourceScope is an enum defining the different scopes available to a custom resource
|
|
type: string
|
|
type: object
|
|
parameters:
|
|
description: Parameters define the behavior of the mutator.
|
|
properties:
|
|
operation:
|
|
default: merge
|
|
description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
|
|
enum:
|
|
- merge
|
|
- prune
|
|
type: string
|
|
pathTests:
|
|
description: PathTests are a series of existence tests that can be checked before a mutation is applied
|
|
items:
|
|
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
|
|
properties:
|
|
condition:
|
|
description: Condition describes whether the path either MustExist or MustNotExist in the original object
|
|
enum:
|
|
- MustExist
|
|
- MustNotExist
|
|
type: string
|
|
subPath:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
values:
|
|
description: Values describes the values provided to the operation as `values.fromList`.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: ModifySetStatus defines the observed state of ModifySet.
|
|
properties:
|
|
byPod:
|
|
items:
|
|
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
|
|
properties:
|
|
enforced:
|
|
type: boolean
|
|
errors:
|
|
items:
|
|
description: MutatorError represents a single error caught while adding a mutator to a system.
|
|
properties:
|
|
message:
|
|
type: string
|
|
type:
|
|
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
|
|
type: string
|
|
required:
|
|
- message
|
|
type: object
|
|
type: array
|
|
id:
|
|
type: string
|
|
mutatorUID:
|
|
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
|
|
type: string
|
|
observedGeneration:
|
|
format: int64
|
|
type: integer
|
|
operations:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
- name: v1beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: ModifySetSpec defines the desired state of ModifySet.
|
|
properties:
|
|
applyTo:
|
|
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
|
|
items:
|
|
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
|
|
properties:
|
|
groups:
|
|
items:
|
|
type: string
|
|
type: array
|
|
kinds:
|
|
items:
|
|
type: string
|
|
type: array
|
|
versions:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
location:
|
|
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
|
|
type: string
|
|
match:
|
|
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
|
|
properties:
|
|
excludedNamespaces:
|
|
items:
|
|
description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.'
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
|
|
type: string
|
|
type: array
|
|
kinds:
|
|
items:
|
|
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
|
|
properties:
|
|
apiGroups:
|
|
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
|
|
items:
|
|
type: string
|
|
type: array
|
|
kinds:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
labelSelector:
|
|
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
name:
|
|
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.'
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
|
|
type: string
|
|
namespaceSelector:
|
|
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
items:
|
|
description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.'
|
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
|
|
type: string
|
|
type: array
|
|
scope:
|
|
description: ResourceScope is an enum defining the different scopes available to a custom resource
|
|
type: string
|
|
type: object
|
|
parameters:
|
|
description: Parameters define the behavior of the mutator.
|
|
properties:
|
|
operation:
|
|
default: merge
|
|
description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
|
|
enum:
|
|
- merge
|
|
- prune
|
|
type: string
|
|
pathTests:
|
|
description: PathTests are a series of existence tests that can be checked before a mutation is applied
|
|
items:
|
|
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
|
|
properties:
|
|
condition:
|
|
description: Condition describes whether the path either MustExist or MustNotExist in the original object
|
|
enum:
|
|
- MustExist
|
|
- MustNotExist
|
|
type: string
|
|
subPath:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
values:
|
|
description: Values describes the values provided to the operation as `values.fromList`.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: ModifySetStatus defines the observed state of ModifySet.
|
|
properties:
|
|
byPod:
|
|
items:
|
|
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
|
|
properties:
|
|
enforced:
|
|
type: boolean
|
|
errors:
|
|
items:
|
|
description: MutatorError represents a single error caught while adding a mutator to a system.
|
|
properties:
|
|
message:
|
|
type: string
|
|
type:
|
|
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
|
|
type: string
|
|
required:
|
|
- message
|
|
type: object
|
|
type: array
|
|
id:
|
|
type: string
|
|
mutatorUID:
|
|
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
|
|
type: string
|
|
observedGeneration:
|
|
format: int64
|
|
type: integer
|
|
operations:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|